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Preface 


It was our privilege to serve as the program chairs for CAV 2022, the 34th 
International Conference on Computer-Aided Verification. CAV 2022 was held during 
August 7-10, 2022. CAV-affiliated workshops were held on July 31 to August 1 
and August 11 to August 12. This year, CAV was held as part of the Federated 
Logic Conference (FLoC) and was collocated with many other conferences in 
software/hardware verification and logic for computer science. Due to the easing of 
COVID-19 travel restrictions, CAV 2022 and the rest of the FLoC were in-person events. 

CAV is an annual conference dedicated to the advancement of the theory and practice 
of computer-aided formal analysis methods for hardware and software systems. The 
primary focus of CAV is to extend the frontiers of verification techniques by expanding 
to new domains such as security, quantum computing, and machine learning. This puts 
CAV at the cutting edge of formal methods research, and this year’s program is areflection 
of this commitment. 

CAV 2022 received a high number of submissions (209). We accepted nine tool 
papers, two case studies, and 40 regular papers, which amounts to an acceptance rate 
of roughly 24%. The accepted papers cover a wide spectrum of topics, from theoretical 
results to applications of formal methods. These papers apply or extend formal methods 
to a wide range of domains such as smart contracts, concurrency, machine learning, 
probabilistic techniques, and industrially deployed systems. The program featured a 
keynote talk by Ziyad Hanna (Cadence Design Systems and University of Oxford), a 
plenary talk by Aarti Gupta (Princeton University), and invited talks by Arie Gurfinkel 
(University of Waterloo) and Neha Rungta (Amazon Web Services). Furthermore, we 
continued the tradition of Logic Lounge, a series of discussions on computer science 
topics targeting a general audience. In addition to all talks at CAV, the attendees got 
access to talks at other conferences held as part of FLoC. 

In addition to the main conference, CAV 2022 hosted the following workshops: 
Formal Methods for ML-Enabled Autonomous Systems (FOMLAS), On the Not So 
Unusual Effectiveness of Logic, Formal Methods Education Online, Democratizing 
Software Verification (DSV), Verification of Probabilistic Programs (VeriProP), 
Program Equivalence and Relational Reasoning (PERR), Parallel and Distributed 
Automated Reasoning, Numerical Software Verification (NSV-XV), Formal Reasoning 
in Distributed Algorithms (FRIDA), Formal Methods for Blockchains (FMBC), 
Synthesis (Synt), and Workshop on Open Problems in Learning and Verification of 
Neural Networks (WOLVERINE). 

Organizing a flagship conference like CAV requires a great deal of effort from the 
community. The Program Committee (PC) for CAV 2022 consisted of 86 members — a 
committee of this size ensures that each member has a reasonable number of papers to 
review in the allotted time. In all, the committee members wrote over 800 reviews while 
investing significant effort to maintain and ensure the high quality of the conference 
program. We are grateful to the CAV 2022 PC for their outstanding efforts in evaluating 
the submissions and making sure that each paper got a fair chance. Like recent years in 
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CAV, we made the artifact evaluation mandatory for tool paper submissions and optional 
but encouraged for the rest of the accepted papers. The Artifact Evaluation Committee 
consisted of 79 reviewers who put in significant effort to evaluate each artifact. The goal 
of this process was to provide constructive feedback to tool developers and help make 
the research published in CAV more reproducible. The Artifact Evaluation Committee 
was generally quite impressed by the quality of the artifacts. Among the accepted regular 
papers, 77% of the authors submitted an artifact, and 58% of these artifacts passed the 
evaluation. We are very grateful to the Artifact Evaluation Committee for their hard work 
and dedication in evaluating the submitted artifacts. 

CAV 2022 would not have been possible without the tremendous help we received 
from several individuals, and we would like to thank everyone who helped make CAV 
2022 a success. First, we would like to thank Maria A Schett and Daniel Dietsch for 
chairing the Artifact Evaluation Committee and Hari Govind V K for putting together the 
proceedings. We also thank Grigory Fedyukovich for chairing the workshop organization 
and Shachar Itzhaky for managing publicity. We would like to thank the FLoC organizing 
committee for organizing the Logic Lounge, Mentoring workshop, and arranging student 
volunteers. We also thank Hana Chockler for handling sponsorship for all conferences 
in FLoC. We would also like to thank FLoC chair Alexandra Silva and co-chairs Orna 
Grumberg and Eran Yahav for the support provided. Last but not least, we would like 
to thank members of the CAV Steering Committee (Aarti Gupta, Daniel Kroening, 
Kenneth McMillan, and Orna Grumberg) for helping us with several important aspects 
of organizing CAV 2022. 

We hope that you will find the proceedings of CAV 2022 scientifically interesting 
and thought-provoking! 


June 2022 Sharon Shoham 
Yakir Vizel 
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Abstract. Markov decision processes (MDP) and continuous-time 
MDP (CTMDP) are the fundamental models for non-deterministic sys- 
tems with probabilistic uncertainty. Mean payoff (a.k.a. long-run average 
reward) is one of the most classic objectives considered in their context. 
We provide the first algorithm to compute mean payoff probably approx- 
imately correctly in unknown MDP; further, we extend it to unknown 
CTMDP. We do not require any knowledge of the state space, only a 
lower bound on the minimum transition probability, which has been 
advocated in literature. In addition to providing probably approximately 
correct (PAC) bounds for our algorithm, we also demonstrate its practi- 
cal nature by running experiments on standard benchmarks. 


1 Introduction 


Markov decision process (MDP) [7,30,32] is a basic model for systems featuring 
both probabilistic and non-deterministic behaviour. They come in two flavours: 
discrete-time MDP (often simply MDP) and continuous-time MDP (CTMDP). 
While the evolution of MDP happens in discrete steps, their natural real-time 
extension CTMDP additionally feature random time delays governed by exponen- 
tial probability distributions. Their application domain ranges across a wide spec- 
trum, e.g. operations research [10, 16], power management and scheduling [31], net- 
worked and distributed systems [19, 22], or communication protocols [28], to name 
afew. One of the key aspects of such systems is their performance, often formalized 
as mean payoff (also called long-run average reward), one of the classic and most 
studied objectives on (CT)MDP [30] with numerous applications [17]. In this con- 
text, probabilistic model checking and performance evaluation intersect [5]. While 
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the former takes the verification perspective of the worst-case analysis and the lat- 
ter the perspective of optimization for the best case, they are mathematically dual 
and thus algorithmically the same. 

The range of analysis techniques provided by literature is very rich, encom- 
passing linear programming, policy iteration, or value iteration. However, these 
are applicable only in the setting where the (CT)MDP is known (whitebox set- 
ting). In order to handle the blackbox setting, where the model is unknown or 
only partially known, statistical model checking (SMC) [37] relaxes the require- 
ment of the hard guarantees on the correctness (claimed precision) of the result. 
Instead it uses probably approximately correct (PAC) analysis, which provides 
essentially a confidence interval on the result: with probability (confidence) at 
least 1 — ô, the result of the analysis is e-close to the true value. This kind of 
analysis may be applicable to those systems for which we do not have exclusive 
access to their internal functionalities, but we can still observe their behaviour. 

In this paper, we provide the first algorithm with PAC bounds on the mean 
payoff in blackbox MDP. We treat both the discrete-time and continuous-time 
MDP, and the SMC algorithm not only features PAC bounds (returning the 
result with prescribed precision and confidence), but an anytime algorithm (grad- 
ually improving the result and, if terminated prematurely, can return the current 
approximation with its precision and the required confidence). 

The difficulty with blackbox models is that we do not know the exact transi- 
tion probabilities, not even the number of successors for an action from a state. 
The algorithm thus must simulate the MDP to obtain any information. The vis- 
ited states can be augmented to a model of the MDP and statistics used to estimate 
the transition probabilities. The estimates can be used to compute mean payoff 
precisely on the model. The results of [12] and [33] then provide a method for esti- 
mating the number of times each state-action pair needs to be visited in an MDP to 
obtain a PAC bound on the expected mean-payoff value of the original MDP. How- 
ever, notice that this requires that the topology be learnt perfectly, for which we 
either need some knowledge of the state space or recent development in the spirit 
of [3]. On the one hand, this simple algorithm thus follows in a straightforward way 
from the recent results in the literature (although to the best of our knowledge it 
has not been presented as such yet). On the other hand, the required number of 
samples using these bounds is prohibitively large, and therefore, giving guarantees 
with such analysis is not feasible at all in practice. In fact, the numbers are astro- 
nomic already for Markov chains with a handful of states [13]. We discuss further 
drawbacks of such a naive solution in Sect. 3. Our main contribution in this paper is 
a practical algorithm. It takes the most promising actions from every state and uses 
the on-demand value iteration [2], not even requiring an exhaustive exploration of 
the entire MDP. Using techniques of [3,13], we can show that the partial model 
captures enough information. Most importantly, instead of using [12,33], the PAC 
bounds are derived directly from the concrete confidence intervals, reflecting the 
width of each interval and the topology of the model, in the spirit of the practical 
SMC for reachability [3]. 
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Our contribution can be summarized as follows: 


— We provide the first algorithm with PAC bounds on the mean payoff in black- 
box MDP (Sect. 4) and its extension to blackbox CTMDP (Sect. 5). 

— We discuss the drawbacks of a possible more straightforward solution and 
how to overcome them (in Sect. 3 on the conceptual level, before we dive into 
the technical algorithms in the subsequent sections). 

— We evaluate the algorithm on the standard benchmarks of MDP and CTMDP 
and discuss the effect of heuristics, partial knowledge of the model, and vari- 
ants of the algorithms (Sect. 6). 


Related Work. SMC of unbounded-horizon properties of MDPs was first con- 
sidered in [23,29] for reachability. [20] gives a model-free algorithm for w-regular 
properties, which is convergent but provides no bounds on the current error. 
Several approaches provide SMC for MDPs and unbounded-horizon properties 
with PAC guarantees. Firstly, the algorithm of [18] requires (1) the mixing time 
T of the MDP (2) the ability to restart simulations also in non-initial states (3) 
visiting all states sufficiently many times, and thus (4) the knowledge of the size 
of the state space |S]. Secondly, [9], based on delayed Q-learning [34], lifts the 
assumptions (2) and (3) and instead of (1) requires only (a bound on) the min- 
imum transition probability pmin. Thirdly, [3] additionally lifts the assumption 
(4), keeping only pmin, as in this paper. In [13], it is argued that while unbounded- 
horizon properties cannot be analysed without any information on the system, 
knowledge of (a lower bound on) the minimum transition probability pmin is 
a relatively light and realistic assumption in many scenarios, compared to the 
knowledge of the whole topology. In this paper, we thus adopt this assumption. 

In contrast to SMC that uses possibly more (re-started) runs of the system, 
there are online learning approaches, where the desired behaviour is learnt for the 
single run. Model-based learning algorithms for mean payoff have been designed 
both for minimizing regret [4,36] as well as for PAC online learning [25, 26]. 

Due to lack of space, the proofs and some more experimental results and 
discussions appear in [1]. 


2 Preliminaries 


A probability distribution on a finite set X is a mapping p: X + [0,1], such that 
Szex P(x) = 1. We denote by D(X) the set of probability distributions on X. 


Definition 1. (MDP). A Markov decision process is a tuple of the form M = 
(S, Sinit, Act, Av,T,1r), where S is a finite set of states, Sin € S is the initial 
state, Act is a finite set of actions, Av: S — 24* assigns to every state a set of 
available actions, T : S x Act + D(S) is a transition function that given a state 
s and an action a € Av(s) yields a probability distribution over successor states, 
andr: S — R2° is a reward function, assigning rewards to states. 


For ease of notation, we write T(s,a,t) instead of T(s,a)(t). We denote by 
Post(s, a), the set of states that can be reached from s through action a. Formally, 
Post(s,a) = {t | T(s,a,t) > O}. 


6 C. Agarwal et al. 


The choices of actions are resolved by strategies, generally taking history 
into account and possibly randomizing. However, for mean payoff it is sufficient 
to consider positional strategies of the form m : S — Act. The semantics of an 
MDP with an initial state Sint is given in terms of each strategy o inducing a 
Markov chain M$ „ with the respective probability space and unique probability 


measure Pnt, and the expected value EM [F] of a random variable F (see 
e.g. [6]). We drop MZ... when it is clear from the context. 


End Components An end-component (EC) M = (T, A), with Ø Æ T C S and 
A:T — 24+ of an MDP M is a sub-MDP of M such that: for all s € T, 
we have that A(s) is a subset of the actions available from s; for all a € A(s), 
we have Post(s,a) C T; and, it’s underlying graph is strongly connected. A 
maximal end-component (MEC) is an EC that is not included in any other 
EC. Given an MDP M, the set of its MECs is denoted by MEC(M). For 
MEC(M) = {(T1, A1),---, (In, An)}, we define MECs = U; T; as the set of all 
states contained in some MEC. 


Definition 2. (continuous-time MDP (CTMDP)). A continuous-time 
Markov decision process is a tuple of the form M = (S, Sinz, Act, Av,R,1), 
where S is a finite set of states, Sint E S is the initial state, Act is a finite 
set of actions, Av : S — 24* assigns to every state a set of available actions, 
R:S x Act x S — Rso is a transition rate matrix that given a state s and an 
action a € Av(s) defines the set of successors t of s on action a if R(s,a,t) > 0, 
and r : S — Rso is a reward rate function, assigning a reward function to a 
state denoting the reward obtained for spending unit time in s. 


A strategy in a CTMDP decides immediately after entering a state which action 
needs to be chosen from the current state. For a given state s € S, and an 
action a € Av(s), we denote by \(s,a) = >>, R(s,a,t) > 0 the exit rate of a in 
s. The residence time for action a in s is exponentially distributed with mean 
Mea)" An equivalent way of looking at CTMDP is that in state s, we wait 
for a time which is exponentially distributed with mean A(s,a), and then with 
probability A(s,a,t) = R(s,a,t)/A(s,a), we make a transition to state t. The 
reward accumulated for spending time t in s is r(s) - t. 


Uniformization. A uniform CTMDP has a constant exit rate C for all state- 
action pairs i.e., A(s,a) = C for all states s € S and actions a € Av(s). The 
procedure of converting a non-uniform CTMDP into a uniform one is called 
uniformization. Consider a non-uniform CTMDP M. Let C € Rso such that 
C > X(s,a) for all s € S and a € Act. We can obtain a uniform CTMDP Mo 
by assigning the new rates. 


R’(s,a,t) = eae ae 


R(s,a,t) +C—X(s,a) ifs=t (1) 


For every action a € Av(s) from each state s in the new CTMDP we have 
a self loop if A(s,a) < C. Due to a constant transition rate, the mean interval 
time between two any two actions is constant. 
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Mean Payoff. In this work, we consider the (maximum) mean payoff (or long- 
run average reward) of an MDP M, which intuitively describes the (maximum) 
average reward per step we expect to see when simulating the MDP for time 
going to infinity. Formally, let $;,A;,R; be random variables giving the state 
visited, action played, and reward obtained in step i, and for CTMDP, T; the 
time spent in the state appearing in step i. For MDP, Ri := r(S;), whereas for 
CTMDP, R; := r(S;)-T;; consequently, for a CTMDP and a strategy 7, we have 
rE (Ri) = aA 
Thus given a strategy 7, the n-step average reward is 


n-1 n—-1 
Ke = ie = Ri = — age gt 
tomes (ER) = A ae 
with the latter equality holding for CTMDP. For both MDP and CTMDP, the 
mean payoff is then 


v(s) := max liminf v7, 
Tv n—> oo 


where the maximum over all strategies can also be without loss of generality 
restricted to the set of positional strategies JMP, A well-known alternative char- 
acterization we use in this paper is 


v(s)= max, >X PROM]: vm, (2) 
MEMEC(M) 


where © and O respectively denote the standard LTL operators eventually and 
always respectively. Further, QOM denotes the set of paths that eventually 
remain forever within M and vy is the unique value achievable in the (CT)MDP 
restricted to the MEC M. Note that vj, does not depend on the initial state 
chosen for the restriction. 

We consider algorithms that have a limited information about the MDP. 


Definition 3. (Blackbox and greybox). An algorithm inputs an MDP or a 
CTMDP as blackbox if 


— it knows Sinit, 
— for a given state,‘ an oracle returns its available actions, 
— given a state s and action a, it can sample a successor t according to T(s, a), 


— it knows pmin S Minses acAv(s) T(s,a,t), an under-approximation of the min- 
t€Post(s,a) 
imum transition probability. 


When input as greybox, it additionally knows the number |Post(s,a)| of suc- 
cessors for each state s and action a. Note that the exact probabilities on the 
transitions in an MDP or the rates in a CTMDP are unknown for both blackbox 
and greybox learning settings. 


1 In contrast to practical setups in monitoring, our knowledge of the current state is 
complete, i.e., the previously visited states can be uniquely identified. 
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3 Overview of Our Approach 


Since no solutions are available in the literature and our solution consists of 
multiple ingredients, we present it in multiple steps to ease the understanding. 
First, we describe a more naive solution and pinpoint its drawbacks. Second, we 
give an overview of a more sophisticated solution, eliminating the drawbacks. 
Third, we fill in its details in the subsequent sections. Besides, each of the three 
points is first discussed on discrete-time MDPs and then on continuous-time 
MDPs. The reason for this is twofold: the separation of concerns simplifies the 
presentation; and the algorithm for discrete-time MDP is equally important and 
deserves a standalone description. 


3.1 Naive Solution 


We start by suggesting a conceptually simple solution. We can learn mean payoff 
MP in an MDP M as follows: 


(i) Via simulating the MDP M, we learn a model M’ of M, i.e., we obtain 
confidence intervals on the transition probabilities of M (of some given 
width erp, called TP-imprecision, and confidence 1 — rp, where ôrp is 
called TP-inconfidence). 

(ii) We compute the mean payoff MP on the (imprecise) model M’. 

(iii) We compute the MP-imprecision emp = IMP — M P| of the mean payoff 
from the TP-imprecision by the “robustness” theorem [8] which quantifies 
how mean payoff can change when the system is perturbed with a given 
maximum perturbation. Further, we compute the overall MP-inconfidence 
dup from the TP-inconfidence ôrp; in particular, we can simply accumulate 
all the uncertainty and set dye = |T|- rp, where |T| is the number of 
transitions. The result is then probably approximately correct, being €m pP- 
precise with confidence 1 — ôm p. (Inversely, from a desired €m p we can also 
compute a sufficient €p to be used in the first step.) 


Learning the model, i.e. the transition probabilities, can be done by observ- 
ing the simulation runs and collecting, for each state-action pair (s, a), a statistics 
of which states occur right after playing a in s. The frequency of each successor 
t among all successors then estimates the transition probability T(s, a, t). This is 
the standard task of estimating the generalized Bernoulli variable (a fixed distri- 
bution over finitely many options) with confidence intervals. We stop simulating 
when each transition probability has a precise enough confidence interval (with 
Erp and orp yielded by the robustness theorem from the desired overall preci- 
sion).* The drawbacks are (D1: uniform importance) that even transitions with 


? Several non-trivial questions are dealt with later on: how to resolve the action choices 
during simulations; when to stop each simulation run and start a new one; additionally, 
in the black-box setting, when do we know that all successors of each transition have 
been observed. In particular, the last one is fundamental for the applicability of the 
robustness theorem. While the literature typically assumes the greybox setting or even 
richer information, to allow for such an algorithm with PAC bounds, our approach only 
needs Pmin- 
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little to no impact on the mean payoff have to be estimated precisely (with erp and 
orp); and (D2: uniform precision required) that, even restricting our attention to 
“important” transitions, it may take a long time before the last one is estimated 
precisely (while others are already estimated overly precisely). 

Subsequently, using standard algorithms the mean payoff MP can be com- 
puted precisely by linear programming [30] or precisely enough by value iteration 
[2]. The respective MP can then be estimated by the robustness theorem [8], 
which yields for a given maximum perturbation of transition probabilities (in our 
case, €7p/2) an upper bound on the respective perturbation of the mean payoff 
Emp/2. The drawbacks are (D3: uniform precision utilized) that more precise 
confidence intervals for transitions (obtained due to D2) are not utilized, only 
the maximum imprecision is taken into account; and (D4: a-priori bounds) that 
the theorem is extremely conservative. Indeed, it reflects neither the topology 
of the MDP nor how impactful each transition is and thus provides an a-priori 
bound, extremely loose compared to the possible values of mean payoff that can 
be actually obtained for concrete values within the confidence intervals. This is 
practically unusable beyond a handful of states even for Markov chains [13]. 

For CTMDP M, we additionally need to estimate the rates (see below how). 
Subsequently, we can uniformize the learnt CTMDP M’. Mean payoff of the 
uniformized CTMDP is then equal to the mean payoff of its embedded MDP. 
Hence, we can proceed as before but we also have to compute (i) confidence inter- 
vals for the rates from finitely many observations, and (ii) the required precision 
and confidence of these intervals so that the respective induced error on the mean 
payoff is not too large. Hence all the drawbacks are inherited and, additionally, 
also applied to the estimates of the rates. Besides, (D5: rates) while impreci- 
sions of rates do not increase MP-imprecision too much, the bound obtained via 
uniformization and the robustness theorem is very loose. Indeed, imprecise rates 
are reflected as imprecise self-loops in the uniformization, which themselves do 
not have much impact on the mean payoff, but can increase the TP-imprecision 
and thus hugely the MP-imprecision from the robustness theorem. 

Finally, note that for both types of MDP, (D6: not anytime) this naive algo- 
rithm is not an anytime algorithm* since it works with pre-computed erp and 
orp. Instead it returns the result with the input precision if given enough time; 
if not given enough time, it does not return anything (also, if given more time, 
it does not improve the precision). 


3.2 Improved Solution 


Now we modify the solution so that the drawbacks are eliminated. The main 
ideas are (i) to allow for differences in TP-imprecisions (erp can vary over 


3 An embedded MDP of a CTMDP is obtained by considering for every state s, actions 
a € Av(s), and transitions t € Post(s,a), such that T(s,a,t) = A(s,a,t), and by 
disregarding the transition rate matrix. 

4 An anytime algorithm can, at every step, return the current estimate with its impre- 
cision, and this bound converges to 0 in the limit. 
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transitions) and even deliberately ignore less important transitions and instead 
improve precision for transitions where more information is helpful the most; 
(ii) rather than using the a-priori robustness theorem, to utilize the precision 
of each transition to its maximum; and (iii) to give an anytime algorithm that 
reflects the current confidence intervals and, upon improving them, can efficiently 
improve the mean-payoff estimate without recomputing it from scratch. There 
are several ingredients used in our approach. 

Firstly, [2] provides an anytime algorithm for approximating mean payoff 
in a fully known MDP. The algorithm is a version of value iteration, called 
on-demand, performing improvements (so called Bellman updates) of the mean- 
payoff estimate in each state. Moreover, the algorithm is simulation-based, per- 
forming the updates in the visited states, biasing towards states where a more 
precise estimate is helpful the most (“on demand” ). This matches well our learn- 
ing setting. However, the approach assumes precise knowledge of the transition 
probabilities and, even more importantly, heavily relies on the knowledge of 
MECs. Indeed, it decomposes the mean-payoff computation according to Eq. 2 
into computing mean payoff within MECs and optimizing (weighted) reachabil- 
ity of the MECs (with weights being their mean payoffs). When the MECs are 
unknown, none of these two steps can be executed. 

Secondly, [3] provides an efficient way of learning reachability probabilities 
(in the greybox and blackbox settings). Unfortunately, since it considers TP- 
inconfidence to be the same for all transitions, causing different TP-imprecisions, 
the use of robustness theorem in [3] makes the algorithm used there practically 
unusable in many cases. On a positive note, the work identifies the notion of 
ôrp-sure EC, which reflects how confident we are, based on the simulations so 
far, that a set of states is an EC. This notion will be crucial also in our algorithm. 

Both approaches are based on “bounded value iteration”, which computes at 
any moment of time both a lower and an upper bound on the value that we are 
approximating (mean payoff or reachability, respectively). This yields anytime 
algorithms with known imprecision, the latter—being a learning algorithm on 
an incompletely known MDP—only with some confidence. Note that the upper 
bound converges only because ECs are identified and either collapsed (in the 
former) or deflated [24] (in the latter), meaning their upper bounds are decreased 
in a particular way to ensure correctness. 


Our algorithm on (discrete-time) MDP M performs, essentially, the following. 
It simulates M in a similar way as [3]. With each visit of each state, not only it 
updates the model (includes this transition and improves the estimate of the out- 
going transition probabilities), but also updates the estimate of the mean payoff 
by a Bellman update. Besides, at every moment of time, the current model yields 
a hypothesis what the actual MECs of M are and the respective confidence. While 
we perform the Bellman updates on all visited states deemed transient, the states 
deemed to be in MECs are updated separately, like in [2]. However, in contrast to 
[2], where every MEC is fully known and can thus be collapsed, and in contrast 
to the “bounded” quotient of [3] (see Appendix A of [1]), we instead introduce a 
special action stay in each of its states, which simulates staying in the (not fully 
known) MEC and obtaining its mean-payoff estimate via reachability: 
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Definition 4. (stay-augmented MDP). Let M = (S, Sinit, Act, Av,T,1r) be 
an MDP and l,u : MEC(M) — [0,1] be real functions on MECs. We augment 
the stay action to M to obtain M’ = (S', Sinz, Act’, Av’, T’, r’), where 


- S'=SwW{s4,s_, se}, 
— Act’ = Act W {stay}, 


Av(s) for s € S \ U MEC(M) 
- Av'(s) = 4 Av(s) U {stay} for s € UMEC(M) 
{stay} for s € {s4,s—,s8?} 


- T’ extends T by T'(s,stay) = {s} > I(M),s- => 1 — u(M), s? œ> u(M)— 
I(M)} on s € M € MEC(M) and by T'(s,stay, s) = 1 for s € {s1,s_, 87}. 
- r” eatends r by r'(s4}) = r'(s7) =7'(s_) = 0. 


Corollary 1. Ifl, u are valid lower and upper bounds on the mean-payoff within 
MECs of M then maxs P% [O{s4}] < u(Sinit) < Mazo P [O{s,, s2}? where, 
max, P™" [QS] gives the maximum probability of reaching some state in S over 
all strategies. 


This turns the problem into reachability, and thus allows for deflating (defined 
for reachability in [3]) and an algorithm combining [3] and [2]. The details are 
explained in the next section. To summarize (D1) and (D2) are eliminated by not 
requiring uniform TP-imprecisions; (D3) and (D4) are eliminated via updating 
lower and upper bounds (using deflating) instead of using the robustness theorem. 

Concerning CTMDP, in Sect.5 we develop a confidence interval computa- 
tion for the rates. Further, we design an algorithm deriving the MP-imprecision 
resulting from the rate imprecisions, that acts directly on the CTMDP and not 
on the embedded MDP of the uniformization. This effectively removes (D5). 


4 Algorithm for Discrete-Time MDP 


Now that we explained the difficulties of a naive approach, and the concepts 
from literature together with novel ideas to overcome them, we describe the 
actual algorithm for the discrete-time setting. Following a general outline of the 
algorithm, we give detailed explanations behind the components and provide the 
statistical guarantees the algorithm gives. Detailed pseudocode of the algorithms 
for this section is provided in Appendix B of [1]. 


Overall Algorithm and Details. Our version of an on-demand value iteration 
for mean payoff in black-box MDP is outlined in Algorithm 1. Initially, the 
input MDP M is augmented with terminal states ({s1,5_,s57}) to obtain the 


5 A higher transition probability to s indicates that the MEC has high value, a higher 
transition probability to s? indicates high uncertainty in the value of the MEC, while 
a higher transition probability to s— indicates that the MEC has low value. 

° For simplicity of the presentation, we assume the rewards are between 0 and 1, for 
all states. If they are not, we can always rescale them to [0,1] by dividing them by 
the maximum reward observed so far and correspondingly adjust T(-, stay, -). 
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stay-augmented MDP M’. We learn a stay-augmented MDP M’ = (S’, Sinit, 
Act’, Av’, T’, r’) by collecting samples through several simulation runs (Lines 5-8). 
Over the course of the algorithm, we identify MECs with ôr p confidence (Line 13) 
and gradually increase precision on their respective values (Lines 9-11). As stated 
earlier, these simulations are biased towards actions that lead to MECs potentially 
having higher rewards. Values for MECs are encoded using the stay action (Line 12) 
and propagated throughout the model using bounded value iteration (Lines 14- 
19). In Line 14, we reinitialize the values of the states in the partial model since 
new MECs may be identified and also existing MECs may change. Finally, we claim 
that the probability estimates T” are correct with confidence ôm p and if the bounds 
on the value are precise enough, we terminate the algorithm. Otherwise, we repeat 
this overall process with improved bounds (Line 20). 


Simulation. The SIMULATE function simulates a run over the input blackbox 
MDP M and returns the visited states in order. The simulation of M’ is exe- 
cuted by simulating M together with a random choice if action stay is taken. 
Consequently, a simulation starts from Sint and ends at one of the terminal states 
({s1, s_, $7}). During simulation, we enhance our estimate of M’ by visiting new 
states, exploring new actions and improving our estimate of T’ with more sam- 
ples. When states are visited for the first time, actions are chosen at random, and 
subsequently, actions with a higher potential reward are chosen. If a simulation 
is stuck in a loop, we check for the presence of an MEC with ôrp confidence. 
If a dpp-sure MEC is found, we add a stay action with l, u = 0,1, otherwise we 
keep simulating until the required confidence is achieved. After that, we take the 
action with the highest upper bound that is leaving the MEC to continue the 
simulation. We do several such simulations to build a large enough model before 
doing value iteration in the next steps. 


Estimating Transition Probabilities. [3] gives an analysis to estimate bounds on 
transition probabilities for reachability objective in MDPs. For completeness, 
we briefly restate it here. Given an MP-inconfidence mp, we distribute the 
inconfidence over all individual transitions as 


B ÔMP ` Pmin 
{als € S' ^a € Av'(s)}|’ 


ÔTP : 


where aa gives an upper bound on the maximum number of possible successors 


for an available action from a state’. The Hoeffding’s inequality gives us a bound 
on the number of times an action a needs to be sampled from state s, denoted 


I 
#(s,a), to achieve a TP-imprecision erp > E o T(s,a,t), such that 
—2#(s, a) 
mn #(s, a, t) 
T(s, a,t) := max(0, ————_ — ETP 
(s,a,t) ( Sma) ) 


T Knowing additionally max,cs,acav(s) |Post(s,a)| gives slightly smaller TP- 
imprecision. See Appendix G.4 in [1]. 
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Algorithm 1. Mean-payoff learning for black-box MDP 
Input: MDP M, imprecision emp > 0, MP-inconfidence mp > 0, lower bound pmin 
on transition probabilities in M 
Parameters: revisit threshold k > 2, episode length n > 1 
Output: upon termination €m p-precise estimate of the maximum mean payoff for M 
with confidence 1 — dap, i.e. (Emp, 1 — dup)-PAC estimate 

1: procedure ON-DEMAND BVI 


// Initialization 
2: Set L(s+) = U(s,) = U(s7) = 1, L(s_) = U(s_) =L(s7) =0 > Augmentation 
3: S’=0 > States of learnt model 
4: repeat 


//Get n simulation runs and update MP of MECs where they end up 


5: for n times do 
6: w — SIMULATE(k) > Path taken by the simulation 
T: S -S Uw >œ Add states to the model 
8: ÔTP WE AON > Split inconfidence among all transitions 
9: if last state of w is s} or s? then > Probably entered a good MEC M 
10: M — MEC from which we entered the last state of w 
11: UPDATE_MEC_VALUE(M) > Increase precision using more VI 
12: Update T’(s, stay) according to Definition 4 for all s € M 
//Identify drp-sure MECs and propagate their MP by VI for reachability 
13: ProbableMECs — FIND_MECS > drp-sure MECs 
14: INITIALIZE_VILBOUNDS > Reinitialize L,U for all states 
15: repeat 
16: UPDATE(S’) > One Bellman update per state 
17: for T € ProbableMECs do 
18: DEFLATE(Z’) > Ensure safe but converging U 
19: until L and U close to their respective fixpoints 
20: until U (sinit) - L(sinit) < 7° MP. > emp is the absolute error; we use “< 2eme» 


for relative difference between upper and lower values, where rmax = maxr (s). 
sES’ 


where, #(s, a, t) is the number of times t is sampled when action a is chosen in s. 


Updating mean-payoff values Using T(s, a,t), we compute estimates of the upper 
and lower bounds of the values corresponding to every action from a state visited 
in the partial model that is constructed so far. We use the following modified 
Bellman Eq. [3]: 


L(s,a):= So Ts,a,t)-L() 
t:#(s,a,t)>0 
U(s,a) := 5 T(s,a, t) -U(t) + (1 — 5 T(s,a,2)), 
t:#(s,a,t)>0 t:#(s,a,t)>0 
where L(t) = max L(t,a) and U(t) = max U(t, a) are bounds on the value 
a€Av(t) a€Av(t) 


of from a state, v(s). When a state is discovered for the first time during the 
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simulation, and is added to the partial model, we initialize L(s), and U(s) to 0, 


Aa 


and 1, respectively. Note that 5 T(s,a,t) < 1. We attribute the remain- 
t:#(s,a,t)>0 

ing probability to unseen successors and assume their value to be 0 (1) to safely 

under-(over-)approximate the lower (upper) bounds. We call these blackbox Bell- 

man update equations, since it assumes that all the successors of a state-action 

pair may not have been visited. 


Estimating Values of End-Components. End-components are identified with an 
inconfidence of rp. As observed in [13], assuming an action has been sampled 
n times, the probability of missing a transition for that action is at most (1 — 
Pmin)”. Thus, for identifying (T, A) as a ôrp-sure MEC, every action in A that 
is available from a state s € T needs to be sampled at least moe times. 
Once a drp-sure MEC M is identified, we estimate its upper (v¥,) and lower 
(výr) bounds using value iteration.* While running value iteration, we assume, 
with a small inconfidence, that there are no unseen outgoing transitions. So we 
use the following modified Bellman update equations inside the MEC where we 
under-(over-)approximate the lower(upper) bound to a much lesser degree. 


U(s,a):= XO Ts,at)-L()+ mn L-A- X Tsat) 
t:#(s,a,t)>0 Karem 0 t:#(s,a,t)>0 
U(s,a):= XO T(s,a,t)-U(t)+ max U(t)-(1- X T(s,a,t)) 
t:4#(s,a,t)>0 Reid t:##(s,a,t)>0 


Following the assumption, we call these greybor (See Definition 3) Bellman 
update equations. The value iteration algorithm further gives us bounds on výr 
and vi,. We say that the upper estimate of v, (0%,) and the lower estimate 
of v4, (©) are the overall upper and lower bounds of the mean-payoff value 
of M, respectively. To converge the overall bounds, we need value iteration to 
return more precise estimates of vh; and v%;, and we need to sample the actions 
inside M many times to reduce the difference between vh; and v',. We call this 
procedure, UPDATE_MEC_VALUE. 

Now, some MECs may have very low values or may not be reachable from Sinit 
with high probability. In such cases, no optimal strategy may visit these MECs, 
and it might not be efficient to obtain very precise mean-payoff values for every 
MEC that is identified in an MDP. We follow the on-demand heuristic [2] where 
we progressively increase the precision on mean-payoff values as an MEC seems 
more likely to be a part of an optimal strategy. The stay action on MECs helps 
in guiding simulation towards those MECs that have a higher lower bound of 
the mean-payoff value. In particular, whenever the simulation ends up in s+ or 
sz, we run UPDATE_MEC_VALUE with higher precision on the MEC that led 
to these states. If the simulation ends up in these states through a particular 
MEC more often, it indicates that the MEC is likely to be a part of an optimal 
strategy, and it would be worth increasing the precision on its mean-payoff value. 


8 Note that one requires the ECs to be aperiodic for the VI to converge. [30] suggests 
a way that deals with this. 
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Deflate Operation. Unlike in the case of computation of mean payoff for whitebox 
models [3] where a MEC is collapsed following the computation of its value, for 
blackbox learning, once a set of states is identified as a ôr p-sure MEC, we cannot 
collapse them. This is because collapsing would prevent a proper future analysis 
of those states, which is undesirable in a blackbox setting. However, this leads 
to other problems. To illustrate this, we consider an MDP that only has a single 
MEC M and one outgoing action from every individual state. Recall from Eq. 2 
that we compute the mean-payoff by reducing it to a reachability problem. Once 
the mean-payoff for the MEC, and the probabilities corresponding to stay action 
in Line 12 are computed, to compute the reachability probability, the upper and 
lower bounds of all states in the MECs are initialized to 1 and 0 respectively. 
Now suppose that the sum of probabilities to s} and sọ be p denoting the upper 
bound on the value of the mean-payoff to be p-rmax- Clearly, the upper bound on 
the reachability value of this MDP is p. Now, when we do BVI to calculate this 
value, from every state in M, there would be at least two action choices, one that 
stays inside the MEC, and one that corresponds to the stay action. Initially, all 
states, except the terminal states, would have upper and lower values set to 0 and 
1, respectively. Thus, among the two action choices, one would have upper value 
p, while the other would have upper value 1, and hence, the Bellman update 
assigns the upper value of the state to 1. As one can see, this would go on, and 
convergence wouldn’t happen, and hence the true mean-payoff value will not be 
propagated to the initial state of the MDP. To avoid this, we need the deflate 
operation which lowers the upper reachability value to the best outgoing action, 
i.e. in this case, the stay action with value p. 


Statistical Guarantees. The following theorem shows that the mean-payoff value 
learnt by Algorithm 1 is PAC on an input blackbox MDP. 


Theorem 1. Algorithm 1 has the property that when it stops, it returns an 
interval for the mean-payoff value of the MDP that is PAC for the given MP- 
inconfidence mp and the MP-imprecision Emp. 


Anytime Algorithm. As a direct consequence, we obtain an anytime algorithm 
from Algorithm 1 by (1) dropping the termination test on Line 20, i.e. replacing 
it with until false, and (2) upon query (or termination) by the user, we output 
(U(sinit) + L(sinit))/2 as the estimate and, additionally, we output (U (sinit) - 
L(Sinit))/2 as the current imprecision. 


Using Greybor Update Equations During Blackbox Learning. We also consider 
the variant where we use greybox update equations to estimate the mean-payoft 
values. However, assuming we keep the TP-imprecision unchanged, the overall 
TP-inconfidence now has to include the probability of missing some successor of 
a state s for an action af. Given a number of samples #(s,a), the probability 
that we miss a particular successor is at most (1 — pmin)#”, and hence the 


° Assuming #(s,a) to be as small as 200, and pmin = 0.05, the probability of missing 
a transition is 3.5 - 1075. 
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overall TP-inconfidence corresponding to using greybox equations for blackbox 
learning increases to dpp + (1 — pmin)*#°™. 

We also note that the use of greybox update equations on estimating the 
transition probabilities also gives us a PAC guarantee but with an increased 
MP-Inconfidence resulting from an increased TP-inconfidence. 


5 Algorithm for Continuous-Time MDP 


In this section, we describe an algorithm to learn blackbox CTMDP models 
for mean-payoff objective while respecting the PAC guarantees. As in the case 
of MDPs, we reduce the mean-payoff problem to a reachability problem. We 
follow the same overall framework as in MDPs, where we compute the proba- 
bility to reach the end-components under an optimal strategy, and we compute 
their respective mean-payoff values. Computing reachability probabilities in a 
CTMDP is the same as computing reachability probabilities in the underlying 
embedded MDP. Similar to estimating T(s,a,t) in Sect.4 for MDPs, we esti- 
mate A(s,a,t)'? for CTMDPs, and follow the simulation-based procedure in 
Algorithm 1 to compute reachability probabilities. However, unlike MECs in 
MDPs, where the mean-payoff value depends solely on the transition probabil- 
ities, the mean-payoff value in a CTMDP also depends on the rates A(s, a) for 
s € Tanda € A(s) for an MEC M = (T,A). Thus to compute the value of 
an MEC, we also estimate the rates of the state-action pairs. Once we get the 
estimates of the rates, we uniformize the CTMDP to obtain a uniform CTMDP 
that can be treated as an MDP by disregarding the rates while preserving the 
mean-payoff value [30]. Detailed pseudocode of the algorithms for this section 
are provided in Appendix F of [1]. 


Estimating Rates. Recall that for an action a, the time spent in s is exponentially 
distributed with a parameter A(s,a), and KEO is the mean of this distribution. 
During the simulation of a CTMDP, for every state s reached and action a chosen 
from s, we construct a sequence Ts a of the time difference between the entry and 
the corresponding exit from s when action a is chosen. Then, the average over 


; Recta, Sans, as 1 1 . 1 p. 
the sequence Ts a gives us an estimate Ga of E (Abbreviated to x from 


now on when (s,a) is clear from the context.). 

Assuming a multiplicative error ag on our estimates of +, the lemma below 
uses Chernoff bounds"! to give the number of samples that need to be collected 
from an exponential distribution so that the estimated mean ` is at most ap- 


fraction away from the actual mean + with probability at least 1 — dr, where 
ar,Or €E (0,1). Further by Cramer’s theorem [15], it follows that this is the 


tightest possible bound for the number of samples collected. 


10 Recall that an estimate of A(s,a,t) is the ratio between #(s,a,t) and #(s,a), and 
is the probability with which we go to state t from s when action a is chosen from s. 

11 Since A is not bounded, we cannot use Hoeffding’s inequality as in the case of esti- 
mating the transition probabilities. 
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Lemma 1. Let Xı,..., Xn be exponentially distributed i.i.d. random variables 
with mean i Then we have that 


z - i > i EE. (53g) eE an + ing (AG) eam, 


an) —A<t<0 


Lynn 1 
where +, jini Xi = F- 


Assuming the right-side of the inequality is at most dp, we have that A € [A(1— 
ar), A1 + aR)], or A € aS a with probability at least 1 — dz. Table 1 
shows the number of samples required for various values of ap and dp!?. 


Table 1. Lookup table for number of samples based on ag and ôr 


ar \ ôr | 10% 5% 0.01% | 0.00001% 
3% 7000 9000 23000 | 60000 
5% 2500 3100 8000 13400 


Given a maximum multiplicative error ær on the mean of the exponential 
distributions of the state-action pairs in a CTMDP, we say that the rate A is 
known ap-precisely if À € leas: reer We now quantify the bounds on the 
estimated mean-payoff value. Let M be a CTMDP, vm be its actual mean-payoff 
value, and let %,, denote its mean-payoff when the rates of the state-action pairs 


are known ap-precisely. Then we have the following. 


Lemma 2. Given a CTMDP M with rates known ap-precisely, with transi- 
tion probabilities known precisely, and with maximum reward per unit time over 
all states Tmax, we have vml IFE) < ty < um (7282) and (ùm — um| < 


lta l-a 
2aR 
l-ar’ 


Tmax 


Estimating Mean-Payoff Values of MECs. Using our bounds on the rates of 
the transitions, we now compute bounds on the mean-payoff values of MECs in 
CTMDPs. We first show that the mean payoff is maximized or minimized at the 
boundaries of the estimates of the rates. Intuitively, to maximise the mean-payoft 
value, for a state s; with a high reward, we would like to maximise the time spent 
in s; or equivalently, minimise the rate A(s;,a) for every outgoing action a from 
si. We do the opposite when we want to find a lower bound on the mean-payoft 
value in the MEC. Consider an MEC M having states T = {81,..., 5m}. Assume 
that A; is the rate of an action a from state s;, such that a positional mean-payoff 
maximizing strategy o chooses a from s;. Then, the expected mean-payoff value 
of M is given by, 


12 Tn Appendix E of [1], we show the computation of the number of samples for one of 
the entries. 
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VUM Z — 5S Tm >’ (3) 


where 7; denotes the expected fraction of total time spent in s; under ø. 
Now, we have estimates 5 of +, such that, A; € [Xi (1— ar), ài (l1 +annr) 
with high probability. Let Al = pe (1 — apr) and \¥ = Ai (1+ ap). 


Proposition 1. In Eq. 3, the maximum and the minimum values of vm occur 
at the boundaries of the estimates of A; for each 1 SiS m. 


In particular, vm is maximized when, 


(4) 


i AL, if r(s;) > VM 
o otherwise 


i9 

Once we fix the rates for each of the states in M, we uniformize M to obtain 
a uniform CTMDP Me which is an MEC and can be treated as an MDP for 
computing its mean-payoff value [30]. Let for a state-action pair, the rate be 
A(s,a), and the uniformization constant be C. For a successor t from s under 
action a such that t Æ s, we have A(s,a,t) = En . Msa, and A(s,a,s) = 
1— 5 A(s,a,t). Finally, value iteration on Mc with appropriate confidence 

t#s 
idl cise us the lower and the upper estimates of the mean-payoff value of the 
MEC M. 

We now describe an iterative procedure to identify those states of the MEC 
for which the upper bound on the estimates of the rates are assigned, and those 
states for which the lower bound on the estimates of the rates are assigned 
in order to maximize or minimize the mean-payoff value of the MEC. Assume 
w.l.o.g. that the states s1,...,Sm are sorted in decreasing order of their rewards 
r(s;). In iteration j, we set A; = Ai for 1 < i < j, and we set A; = AY for 
the remaining states and recompute vm. The maximum value of va, across all 
iterations gives the upper bound on vm. Similarly we can find the lower bound 


on vm. Overall, value iteration is done 2|T| times'®. 


Overall Algorithm. As stated in the beginning of this section, an algorithm for 
computing the mean payoff in blackbox CTMDP models largely follows the same 
overall framework as stated in Sect. 4. By sampling the actions, we obtain esti- 
mates of the rates and the transition probabilities. The reachability probabilities 


13 Tn our experiments, we use a heuristic to estimate vm that provides good approxi- 
mate bounds and is more efficient. We first compute an initial estimate of Ua, using 
our current estimates, X. We then compute the upper bound by assigning the rates 
as in Eq.4 where vm is replaced with m. Similarly, the lower bound can also be 
found. A detailed pseudocode of this algorithm is described in Algorithm 18 of [1]. 
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to the MECs of the CTMDP are estimated using the estimates of the transi- 
tion probabilities while the mean-payoff values of MECs are estimated using 
uniformization as decribed above. The confidence widths on the transition prob- 
abilities in a uniformized MEC are assigned based on the number of samples 
#(s,a) for a state-action pair (s, a). 


Statistical Guarantees. Let ôrp and ôr be the TP-inconfidence and the incon- 
fidence on individual transition rates, respectively. Further, let ômpı and 
mp2 be the overall inconfidence on the transition probabilities and transi- 
ÔM P1 ` Pmin 


{als € ^a € Av(s)}|? 


. Thus, we have that the overall inconfidence on the 


tion rates, respectively. Then, rp and ôr := 


ÔM P2 
{als € S ^a € Av(s)}| 
mean-payoff value, dp = mp1 + mp2. Thus, to achieve a given inconfidence 
on the mean-payoff value, we fix drp and dr, and adjust the imprecisions erp 
and wp accordingly. 14 
As in the case of MDPs, our learning algorithm for blackbox CTMDP models 
is an anytime algorithm that is PAC for the given MP-inconfidence ôm p. 


6 Experimental Results 


We implemented our algorithms as an extension of PRISM [27] and tested it 
on 15 MDP benchmarks and 10 CTMDP benchmarks. Several of these bench- 
marks were selected from the Quantitative Verification Benchmark Set [21]'°. 
The results for MDP and CTMDP blackbox learning are shown in Table2 and 
Table3 respectively. Here, we scale the upper and lower bounds to 1 and 0, 
and show the average values taken over 10 experiments. The experiments were 
run on a desktop machine with an Intel i5 3.2 GHz quad core processor and 16 
GB RAM. The MP-imprecision €mp is set to 10~?, revisitThreshold k is set to 
6, MP-inconfidence mp is set to 0.1 and n is set to 10000. We further use a 
timeout of 30 minutes. In the case of a timeout, the reported upper and lower 
bounds on the mean payoff still correspond to the input MP-inconfidence mp, 
although the MP-imprecision may not be the desired one. 


Blackbox Learning for MDPs. We see that in Table2 for blackbox learning, 9 
out of 15 benchmarks converge well, such that the precision is within 0.1. In 
fact, for many of these 9 benchmarks, a precision of 0.1 is achieved much before 
the timeout (TO). In Fig. la and Fig. 1b, we show this for zeroconf and pacman. 
zeroconf has a large transient part and a lot of easily reachable single state 


14 See Appendix G of [1] for a more detailed calculation of the number of samples 
required to make transition probabilities and the rates precise. 

15 The CTMDP benchmarks are available as Markov automata models that were con- 
verted to CTMDP models using a tool developed in the thesis [11]. 
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Table 2. Results on MDP benchmarks. 


Blackbox with 
Benchmarks ee Value maine greybox update equations 
ofistates States Lower | Upper | Time | States Lower | Upper | Time 
explored bound bound (s) | explored | bound | bound | (s) 
virus 809 0 809 0.0 0.5319 TO |809 0.0 0.008 | 273.01 
cs_nfail 184 0.333 | 184 0.3275 0.3618 TO | 184 0.332 | 0.337 | 126.77 
investor 6688 0.95 | 6284 0.8458 0.9559 TO | 5835 0.945 | 0.954 | 620.23 
zeroconf 3001911 |TO 487 0.923 | 1.0 TO | 360 0.990 | 1.0 116.04 
sensors 189 0.333 | 189 0.3299 0.3513 TO | 189 0.332 | 0.336 | 64.64 
consensus 272 0.1083 | 272 0.093 0.1605 TO | 272 0.103 |0.113 | 190.32 
ij10 1023 1 1023 0.3626 | 1.0 TO | 1023 0.999 | 1.0 26.822 
ij3 7 1 7 0.990 | 1.0 15.92 | 7 0.999 | 1.0 0.7127 
pacman 498 0.5511 | 496 0.5356 0.5754 TO | 496 0.5477 | 0.5577 | 215.36 
wlan 2954 1 2954 0.6577 | 1.0 TO | 2935 1.0 .0 16.924 
blackjack 3829 0 3829 0.0 0.3014 TO |3829 0.0 0.006 | 91.503 
counter 8 0.5 8 0.4998 | 0.5 30.37 | 8 0.4999 | 0.5 15.215 
recycling 5 0.727 |5 0.726 |0.727 | 1.309} 5 0.726 |0.727 | 0.927 
busyRing 1912 1 1733 0.706 | 1.0 TO | 1542 0.999 | 1.0 34.86 
busyRingMC | 2592 1 2574 0.969 | 1.0 TO | 2507 0.999 | 1.0 114.50 


* The number of states and the values are computed using the probabilistic model- 
checker STORM [14] 

The number of states and the true mean-payoff values are computed by first uniformiz- 
ing the CTMDP, and then using STORM on the underlying MDP. 


MECs. Since it has a true value of 1, the upper and the lower values converge 
after exploring only a few MECs. Our algorithm only needed to explore a very 
small percentage of the states to attain the input precision. cs_nfail has many 
significant MECs, and the learning algorithm needs to explore each of these 
MECs, while in sensor there is a relatively large MEC of around 30 states, and 
the simulation inside this MEC takes considerable amount of time. 

virus consists of a single large MEC of more than 800 states, and its true value 
is 0. As we simulate the MEC more and more, the TP-imprecision on the tran- 
sition probabilities decreases and the upper bound on the mean-payoff reduces 
over time. ij10 contains one MEC with 10 states in it. The value converges faster 
and reaches a value of 1, during blackbox learning. This model has relatively 
high number of actions, more than 5, for many of its states outside the MEC. 
This leads to a higher TP-imprecision. Further, due to the conservative nature 
of the blackbox update equations, the upper and the lower values converge very 
slowly. 

consensus, ij10, ij3, pacman, wlan were used in [3] for learning policies for 
reachability objectives. The target states in these benchmarks are sink states 
with self loops, and we add a reward of 1 on these target states so that the 
rechability probability becomes the same as the mean payoff. The mean-payoff 
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Table 3. Results on CTMDP benchmarks 


Blackbox with 
Number Blackbox 
Benchmarks Value greybox update equations 
of states 
States | lower | upper | Time | States | lower | upper | Time 
explored | bound bound] (s) |explored| bound bound | (s) 
DynamicPM 816 1.0 816 0.436 | 1.0 TO 816 0.998 | 1.0 37.68 
ErlangStages 508 1.0 508 0.962 | 1.0 TO 508 0.999 | 1.0 8.118 
PollingSystem1 | 16 0.922 | 16 0.811 | 0.937 TO 6 0.816 | 0.937 | TO 
PollingSystem2 | 348 0.999 | 348 0.637 | 0.999 | TO 348 0.998 0.999 | 21.893 
PollingSystem3 | 1002 0.999 | 1002 0.232 | 1.0 TO 002 0.99 | 1.0 864.05 
QueuingSystem | 266 0.8783 | 266 0.703 | 0.906 TO 266 0.865 | 0.886 | TO 
SJS1 17 1.0 17 0.999 | 1.0 133.96 | 17 0.997 | 1.0 1.05 
SJS2 7393 0.999 | 7341 0.02 | 1.0 TO 7268 0.936 | 1.0 TO 
SJS3 433 1.0 433 0.919 | 1.0 TO 432 0.999 0.999 | 5.3814 
toy 12 1.0 12 0.99 | 1.0 5.6 2 0.999 | 1.0 1.112 


results we observe are similar to the bounds reported for reachability probability 
in [3], and our experiments also take similar time as reported in [3]. 

The blackjack model [35] is similar to zeroconf model. It has 3829 states and 
2116 MECs. It has a large transient part and a lot of single state MECs. However, 
unlike zeroconf all of the MECs have a value of 0. Thus, simulation takes more 
time as the TP-imprecision reduces slowly. 


Blackbox Learning with Greybox Update Equations. We show the results of these 
experiments in the right side of Table 2. As observed, convergence is much faster 
here for all the benchmarks. All our benchmarks converged correctly within a few 
seconds to a few minutes. Hence for a small degradation in MP-inconfidence use 
of greybox update equations works well in practice. We show the effect on 
MP-inconfidence in more detail in Table 8 in Appendix G of [1]. 


Blackbox Learning for CTMDPs. In Table3 we show the results for CTMDP 
benchmarks. The number of states in these benchmarks vary from as low as 12 
to more than 7000. All the models used here have a lot of small end-components. 
We observe that the upper and the lower values take more time to converge as 
the size of the model grows. Figure 1c and Fig. 1d show the convergence of lower 
and upper bounds for QueuingSystem and SJS3. As in the case of MDPs, using 
greybox update equations speeds up the learning process significantly. 


Greybox Learning. Recall from Definition 3 that in greybox learning, for every 
state-action pair, we know the number of successors of the state for the given 
action. As expected, their convergence is much faster than that for blackbox 
learning, but the convergence is comparable to the case where we do blackbox 
learning with greybox update equations. The details of the greybox learning 
experiments can be found in Appendix G of [1]. 


22 C. Agarwal et al. 
1.0 1.0 
0.8 0.8 
5 5 
Ss 0.6 > 0.6 
È ee 
c < 
5 0.4 50.4 
go — Lower Bounds (B): 0.9247 go. — Lower Bounds (B): 0.536 
—— Upper Bounds (B): 1.0 —— Upper Bounds (B): 0.575 
0.2 True Value: 1.0 0.2 True Value: 0.5511 
— Lower Bounds (G): 0.9901 — Lower Bounds (G): 0.5476 
0.0 —— Upper Bounds (G): 1.0 0.0 —— Upper Bounds (G): 0.5576 
0 5 10 15 20 25 30 0 5 10 15 20 25 30 
times (minutes) times (minutes) 
(a) zeroconf (b) pacman 
1.0 1.0 
0.8 0.8 
b= © 
S 0.6 S 0.6 
A T 
a a 
s g 
S 0.4 : g 0.4 7 
£ ¥ — Lower Bounds (B): 0.7014 £ x —— Lower Bounds (B): 0.9208 
—— Upper Bounds (B): 0.9065 —— Upper Bounds (B): 1.0 
0.2 = True Value: 0.8783 0.2 -< True Value: 1.0 
— Lower Bounds (G): 0.8638 — Lower Bounds (G): 1.0 
0.0 —— Upper Bounds (G): 0.8865 0.0 —— Upper Bounds (G): 1.0 


0 5 10 15 20 25 30 
times (minutes) 


(c) QueuingSystem 


0 5 10 15 20 25 30 
times (minutes) 


(d) SJS3 


Fig. 1. Convergence of lower and upper bounds for blackbox update equations and 
greybox update equations. 


7 Conclusion 


We presented the first PAC SMC algorithm for computing mean payoff in 
unknown MDPs and CTMDPs, where the only information needed is a lower 
bound on minimum transition probability, as advocated in [13]. In contrast to 
a naive algorithm, which follows in a quite straightforward way from the litera- 
ture, our algorithm is practically applicable, overcoming the astronomic number 
of simulation steps required. To this end, in particular, the inconfidence had to 
be distributed in non-uniformly over the transitions and then imprecision prop- 
agated by value iteration with precision guarantees. In future, we would like to 
thoroughly analyse how well weakening the PAC bounds can be traded for a 
yet faster convergence. On the practical side, applying importance sampling and 
importance splitting could further improve the efficiency. 
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Abstract. We employ uncertain parametric CTMCs with parametric 
transition rates and a prior on the parameter values. The prior encodes 
uncertainty about the actual transition rates, while the parameters allow 
dependencies between transition rates. Sampling the parameter values 
from the prior distribution then yields a standard CTMC, for which we 
may compute relevant reachability probabilities. We provide a principled 
solution, based on a technique called scenario-optimization, to the follow- 
ing problem: From a finite set of parameter samples and a user-specified 
confidence level, compute prediction regions on the reachability probabil- 
ities. The prediction regions should (with high probability) contain the 
reachability probabilities of a CTMC induced by any additional sample. 
To boost the scalability of the approach, we employ standard abstraction 
techniques and adapt our methodology to support approximate reach- 
ability probabilities. Experiments with various well-known benchmarks 
show the applicability of the approach. 


1 Introduction 


Continuous-time Markov chains (CTMCs) are widely used to model complex prob- 
abilistic systems in reliability engineering [51], network processes [36,38], sys- 
tems biology [11,23] and epidemic modeling [2]. A key verification task is to com- 
pute aspects of system behavior from these models, expressed as, e.g., continuous 
stochastic logic (CSL) formulae [4,7]. Typically, we compute reachability prob- 
abilities for a set of horizons, such as: what is the probability that a target state 
is reached before time t1,...,t, ? Standard algorithms [7] implemented in mature 
model checking tools such as Storm [37] or Prism [42] provide efficient means to 
compute these reachability probabilities. However, these methods typically require 
that transition rates and probabilities are precisely known. This assumption is 
often unrealistic [34] and led to some related work, which we discuss in Sect. 7. 


Illustrative Example. An epidemic can abstractly be modeled as a finite-state 
CTMC, e.g., the SIR (susceptible-infected-recovered) model [3], which is shown 
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Fig. 1. An upCTMC (M, P) for the SIR (pop=2) model. 
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Fig. 2. The probability of extinction in the SIR (140) model for horizons [100, t]. (Color 
figure online) 


in Fig. la for a population of two. Such a CTMC assumes a fized set of transition 
rates, in this case an infection rate A;, and a recovery rate Ar. The outcome of 
analyzing this CTMC for fixed values of A; and A, may yield a probability curve 
like in Fig. 2a', where we plot the probability (y-axis) of reaching a target state 
that corresponds to the epidemic becoming extinct against varying time horizons 
(x-axis). In fact, the plot is obtained via a smooth interpolation of the results at 
finitely many horizons, cf. Fig. 2b. To acknowledge that A;, A, are in fact unknown, 
we may analyze the model for different values of \;, Ay, resulting in a set of curves 
as in Fig. 2c. These individual curves, however, provide no guarantees about the 
shape of the curve obtained from another infection and recovery rate. Instead, we 
assume a probability distribution over the transition rates and aim to compute pre- 
diction regions as those in shown Fig. 2d, in such a way that with a certain (high) 
probability, any rates A; and Ar yield a curve within this region. 


Overall Goal. From the illustrative example, we state the following goal. Each 
fixed set of transition rates induces a probability curve, i.e., a mapping from 
horizons to the corresponding reachability probabilities. We aim to construct 
prediction regions around a set of probability curves, such that with high proba- 
bility and high confidence, sampling a set of transition rates induces a probability 
curve within this region. Our key contribution is an efficient probably approxi- 
mately correct, or PAC-style method that computes these prediction regions. 
The remainder of the introduction explores the technical steps toward this goal. 


1 For visual clarity, we plot the reachability probability between time 100 and t1,..., tn. 
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Uncertain CTMCs. The setting above is formally captured by parametric CTMCs 
(pCTMCs). Transition rates of pCTMCs are not given precisely but as (polyno- 
mials over) parameters [15,34], such as those shown in Fig. la. We assume a prior 
on each parameter valuation, i.e., assignment of values to parameters, similar to 
settings in [11,44] and in contrast to, e.g., [23,34]. These priors may result from 
asking different experts which value they would assume for, e.g., the infection rate. 
The prior may also be the result of Bayesian reasoning [56]. Formally, we capture 
the uncertainty in the rates by an arbitrary and potentially unknown probability 
distribution over the parameter space, see Fig. 1b. We call this model an uncertain 
pCTMC (upCTMC). The distribution allows drawing independent and identically 
distributed (i.i.d.) samples that yield (parameter-free) CTMCs. 


Problem Statement. We consider prediction regions on probability curves in the 
form of a pair of two curves that ‘sandwich’ the probability curves, as depicted 
in Fig. 2d. Intuitively, we then aim to find a prediction region R that is sufficiently 
large, such that sampling parameter valuations yields a probability curve in R 
with high probability p. We aim to compute a lower bound on this containment 
probability p. Naturally, we also aim to compute a meaningful, i.e. small (tight), 
prediction region R. As such, we aim to solve the following problem: 


Problem Statement. Given a upCTMC with a target state, compute 
1. a (tight) prediction region R on the probability curves, and 
2. a (tight) lower bound on the containment probability that a sampled 
parameter valuation induces a probability curve that will lie in R. 
We solve this problem with a user-specified confidence level 8. 


The Problem Solved. In this paper, we present a method that samples probability 
curves as in Fig. 2c, but now for, say 100 curves. From these curves, we compute 
prediction regions (e.g., both tubes in Fig. 2d) and compute a lower bound (one 
for both tubes) on the containment probability that the curve associated with any 
sampled parameter value will lie in the specific prediction region (tube). Specifi- 
cally, for a confidence level of 99% and considering 100 curves, we conclude that 
this lower bound is 79.4% for the red region and 7.5% for the blue region. For a 
higher confidence level of 99.9%, the lower bounds are slightly more conservative. 


A Change in Perspective. Toward the algorithm, we make a change in perspec- 
tive. For two horizons tı and tz, reachability probabilities for fixed CTMCs are 
two-dimensional points in [0, 1]? that we call solution vectors, as shown in Fig. 3a. 
Here, these solution vectors represent pairs of the probabilities that the disease 
becomes extinct before time tı and before t2. The prediction regions as in Fig. 2d 
are shown as the shaded boxes in Fig. 3a. 


Solving the problem algorithmically. We solve the problem using a sampling- 
based approach. Starting with a set of solution vectors, we use techniques from 
scenario optimization, a data-driven methodology for solving stochastic opti- 
mization problems [18,21]. As such, we construct the prediction region from the 
solution to an optimization problem. Our method can balance the size of the 
prediction region with the containment probability, as illustrated by the two 
boxes in Fig. 3a. 
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Fig. 3. Prediction regions on the solutions vectors for two different upCTMCs. 


Extensions. Our approach offers more than prediction regions on probability 
curves from precise samples. The change in perspective mentioned above allows 
for solution vectors that represent multiple objectives, such as the reachability 
with respect to different goal states, expected rewards or even the probability 
mass of paths satisfying more complex temporal properties. In our experiments, 
we show that this multi-objective approach —also on probability curves— yields 
much tighter bounds on the containment probability than an approach that 
analyzes each objective independently. We can also produce prediction regions 
as other shapes than boxes, as, for example, shown in Fig. 3b. To accelerate our 
approach, we significantly extend the methodology for dealing with imprecise 
verification results, given as an interval on each entry of the solution vector. 


Contributions. Our key contribution is the approach that provides prediction 
regions and lower bounds on probability curves for upCTMCs. The approach 
requires only about 100 samples and scales to upCTMCs with tens of parameters. 
Furthermore: (1) We extend our approach such that we can also handle the case 
where only imprecise intervals on the verification results are available. (2) We 
develop a tailored batch verification method in the model checker Storm [37] to 
accelerate the required batches of verification tasks. We accompany our contribu- 
tions by a thorough empirical evaluation and remark that our batch verification 
method can be used beyond scenario optimization. Our scenario optimization 
results are independent of the model checking and are, thus, applicable to any 
model where solution vectors are obtained in the same way as for upCTMCs. 


Data Availability. All source code, benchmarks, and logfiles used to produce the 
data are archived: https://doi-org/10.5281/zenodo.6523863. 


2 Problem Statement 


In this section, we introduce pCTMCs and upCTMCs, and we define the formal 
problem statement. We use probability distributions over finite and infinite sets; 
see [9] for details. The set of all distributions over a set X is denoted by Dist(X). 
The set of polynomials over parameters V, with rational coefficients, is denoted 
by Q[V]. An instantiation u: V — Q maps parameters to concrete values. We 
often fix a parameter ordering and denote instantiations as vectors, u € Q'Y!. 
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Definition 1 (pCTMC). A pCTMC is a tuple M = (S, s1, V, R), where S is 
a finite set of states, s; € Dist(S) is the initial distribution, V are the (ordered) 
parameters, and R: S x S — Q[V] is a parametric transition rate function. If 
R(s,s) € Qso for all s,s’ € S, then M is a (parameter-free) CTMC. 


For any pair of states s,s’ € S with a non-zero rate R(s, s’) > 0, the probability 
of triggering a transition from s to s’ within t time units is 1 — e~R(5)* [41]. 

Applying an instantiation u to a pCTMC M yields an instantiated CTMC 
Mfu] = (S,s7,V,R[u]) where R[ul(s, s’) = R(s, s’)[u] for all s,s’ € S. In the 
remainder, we only consider instantiations u for a pCTMC M which are well- 
defined. The set of such instantiations is the parameter space Vm. 

A central measure on CTMCs is the (time-bounded) reachability Pr(QS7 E), 
which describes the probability that one of the error states Eĉ? is reached within 
the horizon + € Q. Other measures include the expected time to reach a par- 
ticular state, or the average time spent in particular states. We refer to [41] for 
details. 

Given a concrete (instantiated) CTMC Ml[u], the solution for measure y 


is denoted by sola ju] € R; the solution vector SOM 4 (a € R” generalizes this 
concept to an (ordered) set of m measures ® = ¥1,..-,m. We abuse notation 


and introduce the solution function to express solution vectors on a pCTMC: 


Definition 2 (Solution function). A solution function solĝ4: Vm > R'! is 
a mapping from a parameter instantiation u E€ Vm to the solution vector solju] 


We often omit the scripts in sol{,(w) and write sol(u) instead. We also refer to 
sol(u) as the solution vector of u. For n parameter samples Un = {u1,...,Un} 
with u; E Vm, we denote the solution vectors by sol(Un) € R™*”. 

Using solution vectors, we can define the probability curves shown in Fig. 2c. 


Definition 3 (Probability curve). The probability curve for reachability 
probability 6, = Pr(QS™E) and CTMC Mfu] is given by probC : TH solitu] 


We can approximate the function probC for a concrete CTMC by computing 
probC(t1),...,probC(tm) for a finite set of time horizons. As such, we compute 
the solution vector w.r.t. m different reachability measures ® = {yi,,..-, Ptn} 
By exploiting the monotonicity? of the reachability over time, we obtain an upper 
and lower bound on probC(7) as two step functions, see Fig. 2d. We can smoothen 
the approximation, by taking an upper and lower bound on these step functions. 

We study pCTMCs where the parameters follow a probability distribution. 
This probability distribution can be highly complex or even unknown; we merely 
assume that we can sample from this distribution. 


Definition 4 (upCTMC). A upCTMC is a tuple (M,P) with M a pCTMC 
and P a probability distribution over the parameter space Vm of M. 


? Formally, states are labeled and E describes the label, see [8]. 
3 In Definition 3, only the upper limit on the timebound is varied, so measures are mono- 
tonic. 
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A upCTMC defines a probability space (Vm, P) over the parameter values, whose 
domain is defined by the parameter space Vm. In the remainder, we denote a 
sample from Vm drawn according to P by u € Vm. 

To quantify the performance of a upCTMC, we may construct a prediction 
region on the solution vector space, such as those shown in Fig. 3a. In this paper, 
we consider only prediction regions which are compact subsets R C R!®!. We 
define the so-called containment probability of a prediction region, which is the 
probability that the solution vector sol(w) for a randomly sampled parameter 
u € Vm is contained in R, as follows: 


Definition 5 (Containment probability). For a prediction region R, the 
containment probability containy(R) is the probability that the solution vector 
sol(u) for any parameter sample u E€ Vm is contained in R: 


containy(R) = Pr{u € Vm : sol(u) € R}. (1) 


Recall that we solve the problem in Sect. 1 with a user-specified confidence level, 
denoted by 8 € (0,1). Formally, we solve the following problem: 


Formal Problem. Given a upCTMC (M, P), a set ® of measures, and 
a confidence level 3 € (0,1), compute a (tight) prediction region R and a 
(tight) lower bound u € (0,1) on the containment probability, such that 
contain( R) > u holds with a confidence level of at least 8. 


The problem in Sect. 1 is a special case of the formal problem, with & the reach- 
ability probability over a set of horizons. In that case, we can overapproximate 
a prediction region as a rectangle, yielding an interval [|c,c] for every horizon t 
that defines where the two step functions (see below Definition 3) change. We 
smoothen these step functions (similar to probability curves) to obtain the fol- 
lowing definition: 


Definition 6 (Prediction region for a probability curve). A prediction 
region R over a probability curve probC is given by two curves c, €: Q>0 —> R as 
the area in-between: R = {(t,y) €Qx R| c(t) < y < a&t)}. 


We solve the problem by sampling a finite set U, of parameter values of the 
upCTMC and computing the corresponding solution vectors sol(U,,). In Sect. 3, 
we solve the problem assuming that we can compute solution vectors exactly. In 
Sect. 4, we consider a less restricted setting in which every solution is imprecise, 
i.e. only known to lie in a certain interval. 


3 Precise Sampling-Based Prediction Regions 


In this section, we use scenario optimization [16,18] to compute a high-confidence 
lower bound on the containment probability. First, in Sect. 3.1, we describe how 
to compute a prediction region using the solution vectors sol(U,,) for the param- 
eter samples Un. In Sect.3.2, we clarify how to compute a lower bound on the 
containment probability with respect to this prediction region. In Sect.3.3, we 
construct an algorithm based on those results that solves the formal problem. 
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3.1 Constructing Prediction Regions 


We assume that we are given a set of solution vectors sol(Un) obtained from n 
parameter samples. We construct a prediction region R based on these vectors 
such that we can annotate these regions with a lower bound on the containment 
probability, as in the problem statement. For conciseness, we restrict ourselves 
to the setting where R is a hyperrectangle in R”, with m = |®| the number of 
measures, cf. Remark 1 below. In the following, we represent R using two vectors 
(points) z,% € R™ such that, using pointwise inequalities, R = {x | £ < x < z}. 
For an example of such a rectangular prediction region, see Fig. 3a. 

As also shown in Fig. 3a, we do not require R to contain all solutions in 
sol(U/,,). Instead, we have two orthogonal goals: we aim to minimize the size of 
R, while also minimizing the (Manhattan) distance of samples to R, measured 
in their 1-norm. Solutions contained in R are assumed to have a distance of zero, 
while solutions not contained in R are called relaxed. These goals define a multi- 
objective problem, which we solve by weighting the two objectives using a fixed 
parameter p > 0, called the cost of relaxation, that is used to scale the distance 
to R. Then, p — œ enforces sol(U,,) C R, as in the outer box in Fig. 3a, while 
for p — 0, R is reduced to a point. Thus, the cost of relaxation p is a tuning 
parameter that determines the size of the prediction region R and hence the 
fraction of the solution vectors that is contained in R (see [19,21] for details). 

We capture the problem described above in the following convex optimiza- 
tion problem Di: We define the decision variables z, € R™ to represent the 
prediction region. In addition, we define a decision variable €; € RY% for every 


sample i= 1,...,n that acts as a slack variable representing the distance to R. 
n 

Lf: minimize || — zll +X (Ella (2a) 
i=l 

subject to 2—& <sol(uj)<@+6 Wi=1,...,n. (2b) 


The objective function in Eq. (2a) minimizes the size of R —by minimizing the 
sum of the width of the prediction region in all dimensions— plus p times the 
distances of the samples to R. We denote the optimal solution to problem 2p 


for a given p by Rý, €5, where Rý = [x%, %3] for the rectangular case. 


Assumption 1. The optimal solution Ri, €% to £f, exists and is unique. 


Note that Definition 2 ensures finite-valued solution vectors, thus guaranteeing the 
existence of a solution to Eq. (2). If the solution is not unique, we apply a suitable 
tie-break rule that selects one solution of the optimal set (e.g., the solution with a 
minimum Euclidean norm, see [16]). The following example shows that values of 
p exist for which such a tie-break rule is necessary to obtain a unique solution. 


Example 1. Figure 4 shows a set of solution vectors in one dimension, labeled A- 
F. Consider prediction region Rı = [A, F]. The corresponding objective value Eq. 
(2a) is |z — z|| + p: X & = ||z — z|| = 61 +- + ôs, as all €; = 0. For prediction 
region Rə = [B, E], the objective value is 62 +63+64+p-61+-65. Thus, for p > 1, 
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solving £f, yields Rı whereas for p < 1, relaxing solutions A and F is cheaper than 
not doing so, so Rə is optimal. When p = 1, however, relaxing solutions A and F 
yields the same cost as not relaxing these samples, so a tie-break rule is needed (see 
above). For p < i, relaxing samples A, B, E, and F is cost-optimal, resulting in 
the prediction region containing exactly {C, D}. 


Similarly, we can consider cases with more samples and multiple measures, as 
shown in Fig.5 (see [6, Appendix A] for more details). The three prediction 
regions in Fig.5 are obtained for different costs of relaxation p. For p = 2, the 
region contains all vectors, while for a lower p, more vectors are left outside. 


Remark 1. While problem £f, in Eq. (2) yields a rectangular prediction region, we 
can also produce other shapes. We may, e.g., construct a Pareto front as in Fig. 3b, 
by adding additional affine constraints [12]. In fact, our only requirement is that 
the objective function is convex, and the constraints are convex in the decision 
variables (the dependence of the constraints on u may be arbitrary) [21]. 


3.2 Bounding the Containment Probability 


The previous section shows how we compute a prediction region based on convex 
optimization. We now characterize a valid high-confidence lower bound on the 
containment probability w.r.t. the prediction region given by the optimal solution 
to this optimization problem. Toward that result, we introduce the so-called 
complexity of a solution to problem £/, in Eq. (2), a concept used in [21] that is 
related to the compressibility of the solution vectors sol(U,,): 


Definition 7 (Complexity). For &, with optimal solution Ry, £}, consider a 
set W C Un and the associated problem 2r with optimal solution Ry, p- The 
set W is critical, if 


R =R; and {ui |&,>0} CW. 


The complexity c of Rf, is the cardinality of the smallest critical set. We 
also call c% the complexity of £f. 
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Fig. 6. Lower bounds ņ on the containment probability as a function of the complexity 
c, obtained from Theorem 1 for different confidence levels 3. 


If a sample u; has a value €7 ; > 0, its solution vector has a positive distance 
to the prediction region, Rj. (i.e., [x%, 7%] for the rectangular case). Thus, the 
complexity c% is the number of samples for which sol(u;) ¢ RZ, plus the min- 
imum number of samples needed on the boundary of the region to keep the 
solution unchanged. We describe in Sect.3.3 how we algorithmically determine 


the complexity. 


Example 2. In Fig. 5, the prediction region for p = 2 contains all solution vectors, 
so €>; = 0Vi. Moreover, if we remove all but four solutions (the ones on the 
boundary of the region), the optimal solution to problem £f, remains unchanged, 
so the complexity is c[;. = 0+ 4. Similarly, the complexity for p = 0.4 is 
cò. = 8 + 2 = 10 (8 solutions outside the region, and 2 on the boundary). 


Recall that Definition 5 defines the containment probability of a generic predic- 
tion region R, so contain( Rž) is the containment probability w.r.t. the optimal 
solution to £?,. We adapt the following theorem from [21], which gives a lower 
bound on the containment probability contain( Rž) of an optimal solution to £} 
for a predefined value of p. This lower bound is correct with a user-defined confi- 
dence level of 8 € (0,1), which we typically choose close to one (e.g., 3 = 0.99). 


Theorem 1. Let Un be a set of n samples, and let c* be the complexity of 
problem £7. For any confidence level 3 € (0,1) and any upper bound d* > œ, it 
holds that 


P" { contain (Rj) > n(a*)} > B, (3) 


where Rọ is the prediction region for £f. Moreover, n is a function defined as 
n(n) = 0, and otherwise, n(c) is the smallest positive real-valued solution to the 
following polynomial equality in the t variable for a complexity of c: 


(Jeet E ema o 


i=c i=n+1 
We provide the proof of Theorem 1 in [6, Appendix B.1]. With a probability 
of at least 3, Theorem 1 yields a correct lower bound. That is, if we solve £} 
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Fig. 7. Overview of our approach for solving the problem statement. 


for many more sets of n parameter samples (note that, as the samples are i.i.d., 
these sets are drawn according to the product probability P”), the inequality in 
Eq. (3) is incorrect for at most a 1 — 8 fraction of the cases. We plot the lower 
bound n(c) as a function of the complexity c = 0,...,n in Fig.6, for different 
samples sizes n and confidence levels 8. These figures show that an increased 
complexity leads to a lower 7, while increasing the sample size leads to a tighter 
bound. 


Example 3. We continue Example 2. Recall that the complexity for the outer 
region in Fig. 5 is cf 42 = 4. With Theorem 1, we compute that, for a confidence 
level of 3 = 0.9, the containment probability for this prediction region is at least 
n = 0.615 (cf. Figure 6a). For a stronger confidence level of 3 = 0.999, we obtain 
a more conservative lower bound of 7 = 0.455. 


3.3 An Algorithm for Computing Prediction Regions 


We combine the previous results in our algorithm, which is outlined in Fig. 7. 
The goal is to obtain a set of prediction regions as in Fig. 5 and their associated 
lower bounds. To strictly solve the problem statement, assume k = 1 in the 
exposition below. We first outline the complete procedure before detailing Steps 
4 and 5. 

As preprocessing steps, given a upCTMC (M,P), we first (1) sample a set 
Un of n parameter values. Using M and ®, a (2) model checking algorithm 
then computes the solution vector solX;(u) for each u € Un, yielding the set of 
solutions sol(U/,,). We then use sol(/,,) as basis for (3) the scenario problem £f, in 
Eq. (2), which we solve for k predefined values p1,..., pp, yielding k prediction 
regions Ri,...R%,. We (4) compute an upper bound d% on the complexity c% Vp. 
Finally, we (5) use the result in Theorem 1, for a given confidence 3, to compute 
the lower bound on the containment probability n(d}) of Rž. Using Definition 6, 
we can postprocess this region to a prediction region over the probability curves. 


Step (3): Choosing values for p. Example 1 shows that relaxation of additional 
solution vectors (and thus a change in the prediction region) only occurs at 
critical values of p = 1, for n € N. In practice, we will use p = aos z for +10 
values of n € N to obtain gradients of prediction regions as in Sect. 6 


Step (4): Computing complexity. Computing the complexity c% is a combinatorial 
problem in general [30], because we must consider the removal of all combinations 
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of the solutions on the boundary of the prediction region Rj. In practice, we 
compute an upper bound dj, > c% on the complexity via a greedy algorithm. 
Specifically, we iteratively solve £f, in Eq. (2) with one more sample on the 
boundary removed. If the optimal solution is unchanged, we conclude that this 
sample does not contribute to the complexity. If the optimal solution is changed, 
we put the sample back and proceed by removing a different sample. This greedy 
algorithm terminates when we have tried removing all solutions on the boundary. 


Step (5): Computing lower bounds. Theorem 1 characterizes a computable func- 
tion B(d*,n, 3) that returns zero for d* = n (i.e., all samples are critical), and 
otherwise uses the polynomial Eq. (4) to obtain 7, which we solve with an approx- 
imate root finding method in practice (see [31] for details on how to ensure that 
we find the smallest root). For every upper bound on the complexity d* and 
any requested confidence, we obtain the lower bound 7 = B(d*,n, 3) for the 
containment probability w.r.t. the prediction region Rj. 


4 Imprecise Sampling-Based Prediction Regions 


Thus far, we have solved our problem statement under the assumption that 
we compute the solution vectors precisely (up to numerics). For some models, 
however, computing precise solutions is expensive. In such a case, we may choose 
to compute an approximation, given as an interval on each entry of the solution 
function. In this section, we deal with such imprecise solutions. 


Setting. Formally, imprecise solutions are described by the bounds 
sol” (u), sol" (u) € R™ such that sol~ (u) < sol(u) < sol*(u) holds with pointwise 
inequalities. Our goal is to compute a prediction region R and a (high-confidence) 
lower bound p such that contain(R) > p, i.e., a lower bound on the probabil- 
ity that any precise solution sol(u) is contained in R. However, we must now 
compute R and contain(R) from the imprecise solutions sol~,sol*. Thus, we 
aim to provide a guarantee with respect to the precise solution sol(u), based on 
imprecise solutions. 


Challenge. Intuitively, if we increase the (unknown) prediction region R* from 
problem £f, (for the unknown precise solutions) while also overapproximating 
the complexity of £}, we obtain sound bounds. We formalize this idea as follows. 


Lemma 1. Let R} be the prediction region and č% the complexity that result from 
solving £f, for the precise (unknown) solutions sol(U,,). Given a set R € R” and 
d EN, for any confidence level 3 € (0,1), the following implication holds: 


i C R and Co <d => P" {contain(R) > n(a) } > B, (5) 
where n(n) = 0, and otherwise, n(d) is the smallest positive real-valued solution 
to the polynomial equality in Eq. (4). 


The proof is in [6, Appendix B.2]. In what follows, we clarify how we compute 
the appropriate R and d in Lemma 1. As we will see, in contrast to Sect. 3, these 
results do not carry over to other definitions £f, (for non-rectangular regions R). 
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4.1 Prediction Regions on Imprecise Solutions 


In this section, we show how to compute R > Rj, satisfying the first term in 
the premise of Lemma 1. We construct a conservative box around the imprecise 
solutions as in Fig. 9, containing both sol” (u) and solt (u). We compute this box 
by solving the following problem 6f, as a modified version of £}, in Eq. (2): 


6? : minimize ||Z — z||ı +o% léh (6a) 
i=1 
subject to 2 —&; < sol™ (uj), sol*(u;)<%+€ Vi=1,...,n. (6b) 


We denote the optimal solution of 67 by [z/,,2/],€/, (recall that the opti- 


mum to £7, is written as [x*,2%],€*).* If a sample u; € Vm in problem 6% 
is relaxed (i.e., has a non-zero €;), part of the interval [sol7 (u;), solt (u;)] is not 
contained in the prediction region. The following result (for which the proof is 
in [6, Appendix B.3]. relates £}, and 6f,, showing that we can use [x2] as R 


in Lemma 1. 


T] 


Theorem 2. Given p, sample set Un, and prediction region EAER | to problem 


Gt), it holds that [x*,@5] C [x’,, 3], with |x, 33] the optimal solution to LP). 


We note that this result is not trivial. In particular, the entries €; from both LPs 
are incomparable, as are their objective functions. Instead, Theorem 2 relies on 
two observations. First, due to the use of the 1-norm, the LP 6), can be decom- 
posed into n individual LPs, whose results combine into a solution to the original 
LP. This allows us to consider individual dimensions. Second, the solution vec- 
tors that are relaxed depend on the value of p and on their relative order, but 
not on the precise position within that order, which is also illustrated by Exam- 
ple 1. In combination with the observation from Example 1 that the outermost 
samples are relaxed at the (relatively) highest p, we can provide conservative 
guarantees on which samples are (or are surely not) relaxed. We formalize these 
observations and provide a proof of Theorem 2 in [6, Appendix B.3}. 


4 We write [z, 2%] and [z/,,Z,], as results in Sect. 4 apply only to rectangular regions. 
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4.2 Computing the Complexity 


To satisfy the second term of the premise in Lemma 1, we compute an upper 
bound on the complexity. We first present a negative result. Let the complexity 
cl, of problem 67, be defined analogous to Definition 7, but with [z’/,,z/,] as the 
region. 


Lemma 2. In general, c < c, does not hold. 


Proof. In Fig.9, the smallest critical set for the imprecise solutions are 
those labeled {1,2,7}, while this set is {1,3,5,7} under precise solutions, so 
Cle 


Thus, we cannot upper bound the complexity directly from the result to 6?,. We 
can, however, determine the samples that are certainly not in any critical set 
(recall Definition 7). Intuitively, a sample is surely noncritical if its (imprecise) 
solution is strictly within the prediction region and does not overlap with any 
solution on the region’s boundary. In Fig. 8, sample ug is surely noncritical, but 
sample us is not (whether us is critical depends on its precise solution). Formally, 
let OR be the boundary” of region |z}, 7/,], and let B be the set of samples whose 
solutions overlap with ôR, which is B = {u € Un : [sol (u), sol (u) OR £ Ø}. 
Definition 8. For a region |x, z], let T C [x5, z] be the rectangle of largest 
volume, such that T N [sol7(u),solt(u)] = Ø for any u € B. A sample ui € Vm 
is surely noncritical if [sol (u;),sol*(u;)] C Z. The set of all surely noncritical 


samples w.r.t. the (unknown) prediction region |x}, z3] is denoted by X C Un. 


As a worst case, any sample not surely noncritical can be in the smallest critical 
set, leading to the following bound on the complexity as required by Lemma 1. 


Theorem 3. Let X be the set of surely noncritical samples. Then ci, < \Un\ £|. 


The proof is in [6, Appendix B.4]. For imprecise solutions, the bound in 
Theorem 3 is conservative but can potentially be improved, as discussed in the 
following. 


4.3 Solution Refinement Scheme 


Often, we can refine imprecise solutions arbitrarily (at the cost of an increased 
computation time). Doing so, we can improve the prediction regions and upper 
bound on the complexity, which in turn improves the computed bound on the 
containment probability. Specifically, we propose the following rule for refining 
solutions. After solving 6%, for a given set of imprecise solutions, we refine the 
solutions on the boundary of the obtained prediction region. We then resolve 
problem 6%, thus adding a loop back from (4) to (2) in our algorithm shown in 
Fig. 7. In our experiments, we demonstrate that with this refinement scheme, we 
iteratively improve our upper bound d > c% and the smallest superset R 2 Rj. 


5 The boundary of a compact set is defined as its closure minus its interior [45]. 


Sampling-Based Verification of CTMCs with Uncertain Rates 39 


5 Batch Verification for CTMCs 


One bottleneck in our method is to obtain the necessary number of solution 
vectors sol(U/,,) by model checking. The following improvements, while mild, are 
essential in our implementation and therefore deserve a brief discussion. 

In general, computing sol(w) via model checking consists of two parts. First, 
the high-level representation of the upCTMC —given in Prism [42], JANI [13], 
or a dynamic fault tree°— is translated into a concrete CTMC M[u]. Then, from 
M [u] we construct sol(u) using off-the-shelf algorithms [7]. We adapt the pipeline 
by tailoring the translation and the approximate analysis as outlined below. 

Our implementation supports two methods for building the concrete CTMC 
for a parameter sample: (1) by first instantiating the valuation in the specification 
and then building the resulting concrete CTMC, or (2) by first building the 
pCTMC M (only once) and then instantiating it for each parameter sample to 
obtain the concrete CTMC Mfu]. Which method is faster depends on the specific 
model (we only report results for the fastest method in Sect. 6 for brevity). 


Partial models. To accelerate the time-consuming computation of solution vectors 
by model-checking on large models, it is natural to abstract the models into smaller 
models amenable to faster computations. Similar to ideas used for dynamic fault 
trees [55] and infinite CTMCs [48], we employ an abstraction which only keeps the 
most relevant parts of a model, i.e., states with a sufficiently large probability to be 
reached from the initial state(s). Analysis on this partial model then yields best- 
and worst-case results for each measure by assuming that all removed states are 
either target states (best case) or are not (worst case), respectively. This method 
returns imprecise solution vectors as used in Sect. 4, which can be refined up to an 
arbitrary precision by retaining more states of the original model. 

Similar to building the complete models, two approaches are possible to cre- 
ate the partial models: (1) fixing the valuation and directly abstracting the con- 
crete CTMC, or (2) first building the complete pCTMC and then abstracting the 
concrete CTMC. We reuse partial models for similar valuations to avoid costly 
computations. We cluster parameter valuations which are close to each other (in 
Euclidean distance). For parameter valuations within one cluster, we reuse the 
same partial model (in terms of the states), albeit instantiating it according to 
the precise valuation. 


6 Experiments 


We answer three questions about (a prototype implementation of) our approach: 


Q1. Can we verify CTMCs taking into account the uncertainty about the rates? 
Q2. How well does our approach scale w.r.t. the number of measures and samples? 
Q3. How does our approach compare to naive baselines (to be defined below)? 


Setup. We implement our approach using the explicit engine of Storm [37] and 
the improvements of Sect.5 to sample from upCTMCs in Python. Our current 


® Fault trees are a common formalism in reliability engineering [51]. 
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Table 1. Excerpt of the benchmark statistics (sampling time is per 100 CTMCs). 


Model size Storm run time [s] Scen.opt. time [s] 
Benchmark ||®| #pars| #states #trans| Init. | Sample (x 100) |N = 100 | N = 200 
SIR (140) 26 2 9996 19716, 0.29 2947.29 18.26 63.27 
SIR (140)* 26 2 9996 19716, 0.29 544.27 25.11 129.66 
Kanban (3) 4 13 58 400 446400} 4.42 46.95 2.28 6.69 
Kanban (5) 4 13 | 2546 432 | 24460016 | 253.39 4363.63 2.03 5.94 
Polling (9) 2 2 6912 36864 0.64 22.92 2.13 6.66 
buffer 2 5 632 21968 0.48 20.70 1.21 4.15 
Tandem (31)| 2 2016 6819 0.11 862.41 5.19 24.30 
rbe 40 6 2269 12930, 0.01 1.40 5.27 16.88 
rc (1,1) 25 21 8401 49446| 27.20 74.90 5.75 20.34 
re (1,1)? 25 21 n/a” n/a?| 0.02 2.35 29.23| 150.61 
re (2,2)? 25 29 n/a” n/a”| 0.03 27.77| 24.86] 132.63 
hecs (2,1)* | 25 5 n/a? n/a?| 0.02 9.83} 26.78| 145.77 
hecs (2,2)? | 25 24 n/a? n/a?| 0.02 194.25 33.06] 184.32 


a Computed using approximate model checking up to a relative gap between upper 
bound sol*(u) and lower bound sol7 (u) below 1% for every sample u € Vm. 
> Model size is unknown, as the approximation does not build the full state-space. 
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implementation is limited to pCTMC instantiations that are graph-preserving, i.e. 
for any pair s,s’ € S either R(s, s’)[u] = Oor R(s, s’)[u] > 0 for all u. We solve opti- 
mization problems using the ECOS solver [29]. All experiments ran single-threaded 
on a computer with 32 3.7 GHz cores and 64 GB RAM. We show the effectiveness 
of our method on a large number of publicly available pCTMC [35] and fault tree 
benchmarks [50] across domains (details in [6, Appendix C]). 


Q1. Applicability 


An excerpt of the benchmark statistics is shown in Table 1 (see [6, Appendix C] 
for the full table). For all but the smallest benchmarks, sampling and comput- 
ing the solution vectors by model checking is more expensive than solving the 
scenario problems. In the following, we illustrate that 100 samples are sufficient 
to provide qualitatively good prediction regions and associated lower bounds. 


Sampling-Based Verification of CTMCs with Uncertain Rates Al 


Table 2. Lower bounds fi and standard deviation (SD), vs. the observed number of 
1000 additional solutions that indeed lie within the obtained regions. 


(a) Kanban (3). (b) Railway crossing (1,1,hc). 
B=0.9 B=0.999  Frequentist B=0.9 B=0.999  Frequentist 
n E SD E SD Observed n E SD jf SD Observed 


100 0.862 0.000 0.798 0.000 959 + 22.7 100 0.895 0.018 0.835 0.020 954 + 26.8 
200 0.930 0.000 0.895 0.000 967 + 17.4 200 0.945 0.007 0.912 0.008 980 + 12.8 
400 0.965 0.001 0.947 0.001 984 + 8.6 400 0.975 0.004 0.958 0.005 990 + 8.3 
800 0.982 0.000 0.973 0.000 994 + 3.2 800 0.986 0.002 0.977 0.003 995 + 4.3 


Plotting prediction regions. Figure 10 presents prediction regions on the extinction 
probability of the disease in the SIR model and is analogous to the tubes in Fig. 2d 
(see [6, Appendix C.1] for plots for various other benchmarks). These regions are 
obtained by applying our algorithm with varying values for the cost of relaxation p. 
For a confidence level of 8 = 99%, the widest (smallest) tube in Fig. 10 corresponds 
to a lower bound probability of u = 91.1% (u = 23.9%). Thus, we conclude that, 
with a confidence of at least 99%, the curve created by the CTMC for any sampled 
parameter value will lie within the outermost region in Fig. 10 with a probability 
of at least 91.1%. We highlight that our approach supports more general predic- 
tion regions. We show n = 200 solution vectors for the buffer benchmark with 
two measures in Fig. 11 and produce regions that approach the Pareto front. For 
a confidence level of 86 = 99%, the outer prediction region is associated with a 
lower bound probability of u = 91.1%, while the inner region has a lower value of 
u = 66.2%. We present more plots in [6, Appendix C.1]. 


Tightness of the solution. In Table 2 we investigate the tightness of our results. 
For the experiment, we set p = 1.1 and solve £f, for different values of n, repeating 
every experiment 10 times, resulting in the average bounds fi. Then, we sample 
1000 solutions and count the observed number of solutions contained in every pre- 
diction regions, resulting in an empirical approximation of the containment prob- 
ability. Recall that for p > 1, we obtain a prediction region that contains all solu- 
tions, so this observed count grows toward n. The lower bounds grow toward the 
empirical count for an increased n, with the smallest difference (RC, n = 800, 
3 = 0.9) being as small as 0.9%. Similar observations hold for other values of p. 


Handling imprecise solutions. The approximate model checker is significantly 
faster (see Table 1 for SIR (140) and RC), at the cost of obtaining imprecise solution 
vectors.’ For SIR (140), the sampling time is reduced from 49 to 9 min, while the 
scenario optimization time is slightly higher at 129s. This difference only grows 
larger with the size of the CTMC. For the larger instances of RC and HECS, 
computing exact solutions is infeasible at all (one HECS (2,2) sample alone takes 
15 min). While the bounds on the containment probability under imprecise solu- 


T We terminate at a relative gap between upper /lower bound of the solution below 1%. 
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Table 3. Run times in [s] for solving the scenario problems for SIR and RC with 
p = 0.1 (timeout (TO) of 1 hour) for different sample sizes n and measures m. 


(a) SIR (population 20). (b) Railway crossing (1,1,hc). 


n/m 50 100 200 400 800 n/m 50 100 200 400 
100 0.97 1.59 3.36 9.17 25.41 100 1.84 3.40 8.18 24.14 
200 3.69 7.30 22.91 59.45 131.78 200 6.35 14.56 45.09 113.09 
400 29.43 76.13 153.03 310.67 640.70 400 34.74 96.68 203.77 427.80 
800 261.97 491.73 955.77 1924.15 TO 800 292.32 579.09 1215.67 2553.98 


tions may initially be poor (see Fig. 12a, which results in y = 2.1%), we can 
improve the results significantly using the refinement scheme proposed in Sect. 4.3. 
For example, Fig. 12c shows the prediction region after refining 31 of the 100 solu- 
tions, which yields u = 74.7%. Thus, by iteratively refining only the imprecise solu- 
tions on the boundary of the resulting prediction regions, we significantly tighten the 
obtained bounds on the containment probability. 


Q2. Scalability 


In Table 3, we report the run times for steps (3)—(5) of our algorithm shown in 
Fig. 7 (i.e., for solving the scenario problems, but not for computing the solution 
vectors in Storm). Here, we solve problem £f, for p = 0.1, with different num- 
bers of samples and measures. Our approach scales well to realistic numbers of 
samples (up to 800) and measures (up to 400). The computational complexity 
of the scenario problems is largely independent of the size of the CTMC, and 
hence, similar run times are observed across the benchmarks (cf. Table 1). 


Q3. Comparison to baselines 


We compare against two baselines: (1) Scenario optimization to analyze each 
measure independently, yielding a separate probabilistic guarantee on each mea- 
sure. (2) A frequentist (Monte Carlo) baseline, which samples a large number of 
parameter values and counts the number of associated solutions within a region. 


0:69 0.30 0.35 0.40 0.45 0.30 0.35 0.40 0.45 0.30 0.35 0.40 0.45 
failed[t<=3] failed[t<=3] failed[t<=3] 
(a) No solutions refined. (b) Intermediate step. (c) 31 refined solutions. 


Fig. 12. Refining imprecise solution vectors (red boxes) for RC (2,2), n = 100. (Color 
figure online) 
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Analyzing measures independently. To show that analyzing a full set of measures at 
once, e.g., the complete probability curve, is essential, we compare our method to 
the baseline that analyzes each measure independently and combines the obtained 
bounds on each measure afterward. We consider the PCS benchmark with precise 
samples and solve £f, for p = 2 (see [6, Table 5] for details). For n = 100 samples 
and 8 = 99%, our approach returns a lower bound probability of u = 84.8%. By 
contrast, the naive baseline yields a lower bound of only 4.5%, and similar results 
are observed for different values of n (cf. [6, Table5 in Appendix C]). There are 
two reasons for this large difference. First, the baseline applies Theorem 3 once 
for each of the 25 measures, so it must use a more conservative confidence level of 
B=1- 1-2 = 0.9996. Second, the baseline takes the conjunction over the 25 


25 
independent lower bounds, which drastically reduces the obtained bound. 


Frequentist baseline. The comparison to the frequentist baseline on the Kanban 
and RC benchmarks yields the previously discussed results in Table 2. The results 
in Tables 1 and 3 show that the time spent for sampling is (for most benchmarks) 
significantly higher than for scenario optimization. Thus, our scenario-based app- 
roach has a relatively low cost, while resulting in valuable guarantees which the 
baseline does not give. To still obtain a high confidence in the result, a much 
larger sample size is needed for the frequentist baseline than for our approach. 


7 Related Work 


Several verification approaches exist to handle uncertain Markov models. 

For (discrete-time) interval Markov chains (DTMCs) or Markov decision pro- 
cesses (MDPs), a number of approaches verify against all probabilities within the 
intervals [32,39,46, 53,54]. Lumpability of interval CTMCs is considered in [22]. 
In contrast to upCTMCs, interval Markov chains have no dependencies between 
transition uncertainties and no distributions are attached to the intervals. 

Parametric Markov models generally define probabilities or rates via functions 
over the parameters. The standard parameter synthesis problem for discrete-time 
models is to find all valuations of parameters that satisfies a specification. Tech- 
niques range from computing a solution function over the parameters, to directly 
solving the underlying optimization problems [24,28,33, 40]. Parametric CTMCs 
are investigated in [23,34], but are generally restricted to a few parameters. The 
work [15] aims to find a robust parameter valuation in pCTMCs. 

For all approaches listed so far, the results may be rather conservative, as no 
prior information on the uncertainties (the intervals) is used. That is, the uncer- 
tainty is not quantified and all probabilities or rates are treated equally as likely. 
In our approach, we do not compute solution functions, as the underlying methods 
are computationally expensive and usually restricted to a few parameters. 

Quantified uncertainty is studied in [44]. Similarly to our work, the approach 
draws parameter values from a probability distribution over the model param- 
eters and analyzes the instantiated model via model checking. However, [44] 
studies DTMCs and performs a frequentist (Monte Carlo) approach, cf. Sect. 6, 
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to compute estimates for a single measure, without prediction regions. Moreover, 
our approach requires significantly fewer samples, cf. the comparison in Sect. 6. 

The work in [10,11] takes a sampling-driven Bayesian approach for pCTMCs. 
In particular, they take a prior on the solution function over a single measure and 
update it based on samples (potentially obtained via statistical model checking). 
We assume no prior on the solution function, and, as mentioned before, do not 
compute the solution function due to the expensive underlying computations. 

Statistical model checking (SMC) [1,43] samples path in stochastic models 
to perform model checking. This technique has been applied to numerous mod- 
els [25-27,47], including CTMCs [52,57]. SMC analyzes a concrete CTMC by 
sampling from the known transition rates, whereas for upCTMC these rates are 
parametric. 

Finally, scenario optimization [16,21] is widely used in control theory [14] 
and recently in machine learning [20] and reliability engineering [49]. Within a 
verification context, closest to our work is [5], which considers the verification 
of single measures for uncertain MDPs. [5] relies on the so-called sampling-and- 
discarding approach [17], while we use the risk-and-complexity perspective [31], 
yielding better results for problems with many decision variables like we have. 


8 Conclusion 


This paper presents a novel approach to the analysis of parametric Markov 
models with respect to a set of performance characteristics. In particular, we 
provide a method that yields statistical guarantees on the typical performance 
characteristics from a finite set of samples of those parameters. Our experiments 
show that high-confidence results can be given based on a few hundred of sam- 
ples. Future work includes supporting models with nondeterminism, exploiting 
aspects of parametric models such as monotonicity, and integrating methods to 
infer the distributions on the parameter space from observations. 
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Abstract. We investigate zero-sum turn-based two-player stochastic 
games in which the objective of one player is to maximize the amount of 
rewards obtained during a play, while the other aims at minimizing it. We 
focus on games in which the minimizer plays in a fair way. We believe that 
these kinds of games enjoy interesting applications in software verifica- 
tion, where the maximizer plays the role of a system intending to maxi- 
mize the number of “milestones” achieved, and the minimizer represents 
the behavior of some uncooperative but yet fair environment. Normally, 
to study total reward properties, games are requested to be stopping (i.e., 
they reach a terminal state with probability 1). We relax the property to 
request that the game is stopping only under a fair minimizing player. We 
prove that these games are determined, i.e., each state of the game has a 
value defined. Furthermore, we show that both players have memoryless 
and deterministic optimal strategies, and the game value can be computed 
by approximating the greatest-fixed point of a set of functional equations. 
We implemented our approach in a prototype tool, and evaluated it on an 
illustrating example and an Unmanned Aerial Vehicle case study. 


1 Introduction 


Game theory [25] admits an elegant and profound mathematical theory. In 
the last decades, it has received widespread attention from computer scientists 
because it has important applications to software synthesis and verification. The 
analogy is appealing, the operation of a system under an uncooperative environ- 
ment (faulty hardware, malicious agents, unreliable communication channels, 
etc.) can be modeled as a game between two players (the system and the envi- 
ronment), in which the system tries to fulfill certain goals, whereas the environ- 
ment tries to prevent this from happening. This view is particularly useful for 
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controller synthesis, i.e., to automatically generate decision-making policies from 
high-level specifications. Thus, synthesizing a controller consists of computing 
optimal strategies for a given game. 

In this paper we focus on zero-sum, perfect-information, two-player, turn- 
based stochastic games with (non-negative) rewards [18]. Intuitively, these games 
are played in a graph by two players who move a token in turns. Some vertices 
are probabilistic, in the sense that, if a token is in a probabilistic vertex, then 
the next vertex is randomly selected. Furthermore, the players select their moves 
using strategies. Associated with each vertex there is a reward (which, in this 
paper, is taken to be non-negative). The goal of Player 1 is to maximize the 
expected amount of collected rewards during the game, whereas Player 2 aims 
at minimizing this value. This is what [28] calls total reward objective. These 
kinds of games have been shown useful to reason about several classes of systems 
such as autonomous vehicles, fault-tolerant systems, communication protocols, 
energy production plants, etc. Particularly, in this paper we consider those games 
in which one of the players employs fair strategies. 

Fairness restrictions, understood as fair resolutions of non-determinism of 
actions, play an important role in software verification and controller synthesis. 
Especially, fairness assumptions over environments make possible the verifica- 
tion of liveness properties on open systems. Several authors have indicated the 
need for fairness assumptions over the environment in the controller synthesis 
approach, e.g., [2,16]. As a simple example consider an autonomous vehicle that 
needs to traverse a field where moving objects may interfere in its path. Though 
the precise behavior of the objects may be unknown, it is reasonable to assume 
that they will not continuously obstruct the vehicle attempts to avoid them. In 
this sense, while stochastic behavior may be a consequence of the vehicle faults, 
we can only assume a fair behavior of the surrounding moving objects. In this 
work, we consider stochastic games in which one of the players (the one playing 
the environment) is assumed to play only with strong fair strategies. 

In order to guarantee that the expected value of accumulated rewards is well 
defined in (perhaps infinite) plays, some kind of stopping criteria is needed. A 
common way to do this is to force the strategies to decide to stop with some pos- 
itive probability in every decision. This corresponds to the so-called discounted 
stochastic games [18,27], and has the implications that the collected rewards 
become less important as the game progresses (the “importance reduction” is 
given by the discount factor). Alternatively, one may be interested in knowing the 
expected total reward, that is, the expected accumulated reward without any loss 
of it as time progresses. For this value to be well defined, the game itself needs to 
be stopping. That is, no matter the strategies played by the players, the probabil- 
ity of reaching a terminal state needs to be 1 [13,18]. We focus on this last type 
of game. However, we study here games that may not be stopping in general (i.e., 
for every strategy), but instead, require that they become stopping only when the 
minimizer plays in a fair way. We use a notion of (almost-sure) strong fairness, 
mostly following the ideas introduced in [7] for Markov decision processes. We 
show that these kinds of games are determined, i.e., each state of the game has a 
value defined. Furthermore, we show that memoryless and deterministic optimal 
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strategies exist for both players. Moreover, the value of the game can be calcu- 
lated via the greatest fixed point of the corresponding functionals. It is important 
to remark that most of the properties discussed in this paper hold when the fair- 
ness assumptions are made over the minimizer. Similar properties may not hold if 
the role of players is changed. However, these conditions encompass a large class 
of scenarios, where the system intends to maximize the total collected reward and 
the environment has the opposite objective. 

In summary, the contributions of this paper are the following: (1) we intro- 
duce the notion of stopping under fairness stochastic game, a generalization of 
stopping game that takes into account fair environments; (2) we prove that it can 
be decided in polynomial time whether a game is stopping under fairness; (3) we 
show that these kinds of games are determined and both players possess optimal 
stationary strategies, which can be computed using Bellman equations; and (4) 
we implemented these ideas in a prototype tool embedded in the PRISM-games 
toolset [22], which we used to evaluate the viability of our approach through 
illustrative case studies. 

The paper is structured as follows. Section 2 introduces an illustrating exam- 
ple to motivate the use of having fairness restrictions over the minimizer. 
Section 3 fixes terminology and introduces background concepts. In Sect. 4 we 
describe a polynomial procedure to check whether a game stops under fairness 
assumptions, we also prove that determinacy is preserved in these games as well 
as the existence of (memoryless and deterministic) optimal strategies. Exper- 
imental results are described in Sect.5. Finally, Sects.6 and 7 discuss related 
work and draw some conclusions, respectively. 


2 Roborta vs. the Fair Light (A Motivating Example) 


Consider the following scenario. Roborta the robot is navigating a grid of 4 x 4 
cells. Roborta’s moves respond to a traffic light: if the light is yellow, she must 
move sideways (at a border cell, Roborta is allowed to wrap around to the other 
side); if the light is green she ought to move forward; if the light is red, she 
cannot perform any movement; finally, if the light is off, Roborta is free to move 
either sideways or forward. The light and Roborta change their states in turns. 
In addition, a (non-negative) reward is associated with each cell of the grid. Also, 
some cells restrict the sideway movement to only one direction. Moreover, we 
consider possible failures on the behavior of the robot and the light. If Roborta 
fails, she loses her turn to move. If the light fails, it turns itself off. The failures 
occur with a given probability and are not permanent (they only affect the 
current play). The goal of Roborta is to collect as many rewards as possible. In 
opposition, the light aims at minimizing this value. 

The specification of this game is captured in Fig. 1 (using PRISM-like notation 
[23]). In this model, WIDTH and LENGTH are constants defining the dimension 
of the grid. MOVES is a two-dimensional array modeling the possible sideways 
movements in the grid (0 allows the robot to move only to the left, 1, to either 
side, and 2, only to the right). The light plays when it is red (light=0) and it 
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module Roborta _vs_the_light can choose whether 
col : [0..WIDTH] init 0; to turn on the yel- 
row : [0..LENGTH] init 0; : ae 
light : [0..3] init 0; // current light color low light (transition 
// 0: red (light’s turn) labell ith 
// 1: yellow (Roborta moves sideways) abelled wit ly) 
// 2: green (Roborta moves foreward) 44 
// 3: off (light fails, any move) or green (transition 
// light moves labelled 1-g). Notice 
[1-y] (light=0) -> (1-Q) : (light’=1) + Q : (light’=3); that with any choice, 
[1g] (light=0) -> (1-Q) : (light’=2) + Q : (light’=3); the light may fail with 


// Roborta moves Pern : F 
[r1] ((light=1) | (light=3)) & (MOVES[col,row] <= 1) probability Q, in which 
-> (1-P) : (light’=0) & (col’=(col-1)%WIDTH) + case it turns itself 

oe ff (light’=3). If th 
[r_r] ((light=1) | (light=3)) & (MOVES[col,row] >= 1) 18 ae e 
-> (1-P) : (light?=0) & (col’=(col+1)%WIDTH) + light is not red, then 


P : (light’= 0); F r ; 
] ((light=2) | (light=3)) & (row < LENGTH) it is Roborta’s turn 


Hha 


[r 


-> (1-P) : (light’=0) & (row’=row+1) + to play. If the light is 
P : (light’= 0); , 
endmodule yellow (light=1) or 
off (light=3), Roborta 
Fig. 1. Model for the Game can chose whether to 


move left (r-1) or right 
(r-r), provided the grid allows the movements. If the light is green (light=2) 
or off (light=3), she can choose to move forward (notice that if Light=2 this is 
the only possible move). Like the light, each of Roborta’s choices has a failure 
probability of P, in which case, she does not move and only passes the turn to 
the light (by setting light ’=0). For completeness, we mention that the rewards 
are stored in a secondary matrix which is not shown in Fig. 1. 

Figure 2 shows the assignment of rewards to each cell of the 4 x 4 grid as well 
as the sideway movement restrictions (shown on the bottom-right of each cell 
with white arrows). The game starts at the cell (0,0) and it stops when Roborta 
escapes through the end of the grid (i.e., row = LENGTH). 

A possible scenario in this game is as follows. à i P 4 
Roborta starts in cell (0,0) and, in an attempt 
to minimize the rewards accumulated by the 
robot, the environment switches the yellow light 1 
on. For the sake of simplicity, we assume no fail- 
ures on the light, i.e., Q = 0. Notice that, if the 
environment plays always in this way (signaling 3 
a yellow light), then Roborta does not collect 
rewards (since all rewards in the first row are 
0) but also she will never reach the goal and 
the game never stops. This scenario occurs when the light plays in an unfair 
way, i.e., an action (the one that turns the green light on) is enabled infinitely 
often, but it is not executed infinitely often. Assuming fairness over the environ- 
ment, we can ensure that a green light will be eventually switched on, allowing 
the robot to move forward. 

For the case in which Q = 0, the best strategy for Roborta when the light is 
yellow is shown in black arrows on the top-right of each cells with no movement 


Fig. 2. A robot on a 4 x 4 grid 
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restrictions (restricting cells provide only one choice). As a result, when both 
players play their optimal strategies, the path taken by Roborta to achieve the 
goal can be observed in the yellow-highlighted portion of the grid in Fig. 2. In 
Sect. 5, we evaluate this problem experimentally with different configurations of 
the game. 


3 Preliminaries 


We introduce some basic definitions and results on stochastic games that will be 
necessary across the paper. 

A (discrete) probability distribution u over a denumerable set S is a function 
u : S — [0,1] such that a(S) = Xes uls) = 1. Let D(S) denote the set of 
all probability distributions on S. A, € D(S) denotes the Dirac distribution for 
s E€ S, i.e., A.(s) = 1 and A,(s’) = 0 for all s’ € S such that s’ 4 s. The support 
set of u is defined by Supp(u) = {s| p(s) > OF. 

Given a set V, V* (resp. V) denotes the set of all finite sequences (resp. 
infinite sequences) of elements of V. Concatenation is represented using juxta- 
position. We use variables w,w’,--- € V™ as ranging over infinite sequences, and 
variables @,@’,--- € V* as ranging over finite sequences. The i-th element of a 
finite (resp. infinite) sequence & (resp. w) is denoted ô; (resp. wi). Furthermore, 
for any finite sequence ô, || denotes its length. For w € V™, inf(w) denotes the 
set of items appearing infinitely often in w. Given S C V*, S* is the set obtained 
by concatenating k times the sequences in S. 

A stochastic game [11,28] is a tuple G = (V,(Vi, V2, Vp), ô), where V is a 
finite set of vertices (or states) with V1, V2, Vp C V being a partition of V, and 
ô: V x V — [0,1] is a probabilistic transition function, such that for every 
v € Vi UVa, d(v,v’) € {0,1}, for any v’ € V; and d(v,-) € D(V) for v € Vp. 
If Vp = 9, then G is called a two-player game graph. Moreover, if Vj = @ or 
V2 = 0, then G is a Markov decision process (or MDP). Finally, in case that 
V, = 0 and V2 = 0, G is a Markov chain (or MC). For all states v € V we 
define post®(v) = {v' € V | 6(v,v’) > 0}, the set of successors of v. Similarly, 
pre>(v') = {v € V | d(v,v’) > 0} as the set of predecessors of v’, we omit the 
index 6 when it is clear from context. Also, when useful, we fix an initial state for 
a game, in such a case we use the notation G, to indicate that the game starts 
from v. Furthermore, we assume that post(v) 4 Ø for every v € V. A vertex 
v € V is said to be terminal if 6(v,v) = 1, and (v, v’) = 0 for all v 4 v’. Most 
results on MDPs rely on the notion of end component [5], we straightforwardly 
extend this notion to two-player games: an end component of G is a pair (V’, 6’) 
such that (a) V’ C V; (b) 6’(v) = 4(v) for v € Vp; (c) Ø + post? (v) C post? (v) for 
v € Vi U Vz; (d) post? (v) C V’ for all v € V’; (e) the underlying graph of (V’, 6’) 
is strongly connected. Note that an end component can also be considered as 
being a game. The set of end components of G is denoted EC (G). 

A path in the game G is an infinite sequence of vertices vov ... such that 
Ô(Uk, Uk+1) > 0 for every k € N. Pathsg denotes the set of all paths, and FPathsg 
denotes the set of finite prefixes of paths. Similarly, Pathsg „œ and FPathsg wv 
denote the set of paths and the set of finite paths starting at vertex v. 
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A strategy for Player i (for i € {1,2}) in a game G is a function m; : V*V; —> 
D(V) that assigns a probabilistic distribution to each finite sequence of states 
such that 7;(@v)(v’) > 0 only if v’ € post(v). The set of all the strategies for 
Player i is named J/;. A strategy 7; is said to be pure or deterministic if, for 
every wu € V*Vj, 7;(@v) is a Dirac distribution, and it is called memoryless if 
m(@v) = m(v), for every © € V*. Let HM and ITP be respectively the set of 
all memoryless strategies and the set of all deterministic strategies for Player i. 
ITM? = IMA ITP is the set of all its deterministic and memoryless strategies. 

Given two strategies 7, € I, m2 € Io and an initial vertex v, the result of 
the game is a Markov chain [11], denoted G71:72. An event A is a measurable set 
in the Borel o-algebra generated by the cones of Pathsg. The cone or cylinder 
spanned by the finite path ô € FPathsg is the set cyl(@) = {w E€ Pathsg | VO < 
i < |Ò] : wi = w;}. Probg’,” is the associated probability measure obtained when 
fixing strategies 7, 72, and an initial vertex v [11]. Intuitively, Probg’;”* (A) is 
the probability that strategies mı and m2 generates a path belonging to the set 
A when the game G starts in v. When no confusion is possible, we just write 
Probg',,*(@) instead of Probg';”? (cyl(@)). Similar notations are used for MDPs 
and MCs. A stochastic game id as above) is said to be stopping [14] if for 
all pair of strategies 71,72 the probability of reaching a terminal state is 1. We 
use LTL notation to represent specific set of paths, e.g., OT = {w € Pathsg | 
Ji >0:w; E€ T} is the set of all the plays in the game that reach vertices in T. 

A quantitative objective or payoff function is a measurable function f : V° — 
R. Let EG’; [f] be the expectation of measurable function f under probability 
Probg';,’. The goal of Player 1 is to maximize this value whereas the goal of 
Baye "9 is to minimize it. Sometimes quantitative objective functions can be 
defined via rewards. These are assigned by a reward function r : V — Rt. We 
usually consider stochastic games augmented with a reward function. Moreover, 
we assume that for every terminal vertex v, r(v) = 0. 

The value of the game for Player 1 at vertex v under strategy mı is 
defined as the infimum over all the values resulting from Player 2 strate- 
gies in that vertex, ie., infr cm ae [f]. The value of the game for 
Player 1 is defined as the supremum of the values of all Player 1 strate- 
gies, i.e, SUPr em infx,em, Eg’; [f]. Similarly, the value of the game for 
a Player 2 under strategy m2 and the value of the game for Player 2 
are defined as supr em, Eg, [f] and inf,,em, SUPri em, Eg [f], respectively. 
We say that a game is determined if both values are the same, that is, 
SUPr em, Mfmem Egy [f] = infr,em, SUPr em Ego [f]. Martin [24] proved 
the determinacy of stochastic games for Borel and bounded objective functions. 

In this paper we focus on the total accumulated reward payoff function, i.e., 
rew(w) = pco r(wi). Since rew is unbounded, the results of Martin [24] do 
not apply to this function. In this paper we restrict ourselves to non-negative 
rewards, as shown in the next sections, non-negative rewards are enough to deal 
with interesting case studies, we briefly discuss in Sect. 7 the possible extension 
of the results presented here to games having negative rewards. 
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4 Stopping Games and Fair Strategies 


We begin this section by introducing the notions of (almost sure) fair strategy 
and stopping games under fairness. From now on, we assume that Player 2 repre- 
sents the environment, which tries to minimize the amount of rewards obtained 
by the system, thus fairness restrictions will be applied to this player. 


Definition 1. Given a stochastic game G = (V,(Vi, V2, Vp), ô). The set of fair 
plays for Player 2 (denoted FP) is defined as follows: 


FP? = {w € Pathsg | Vu' € V2: v' € inf(w) > post(v’) C inf(w)} 


Alternatively, if we consider each vertex as a proposition, FP? can be written 
using LTL notation as: Aysev, Av'epostœ) (OCV => Ov’). This property is w- 
regular, thus it is measurable in the o-algebra generated by the cones of Pathsg 
(see e.g., [5, p.804]). This is a state-based notion of fairness, but it can be straight- 
forwardly extended to settings where transitions are considered. For the sake of 
simplicity we do not do so in this paper. 

Next, we introduce the notion of (almost-sure) fair strategies for Player 2. 


Definition 2. Given a stochastic game G = (V,(Vi,V2,Vp),0), a strategy 
m2 € Ih is said to be almost-sure fair (or simply fair) iff it holds that: 
Probg};"* (FP?) = 1, for every mı E€ I andveV. 


The set of all the fair strategies for Player 2 is denoted by H . We combine this 
notation with the notation introduced in Sect.3, e.g., HMT refers to the set of 
all memoryless and fair strategies for Player 2. The previous definition is based 
on the notion of fair scheduler as introduced for Markov decision processes [5,7]. 

Note that for stopping games, every strategy is fair, because the probability 
of visiting a vertex infinitely often is 0. Also notice that there are games which 
are not stopping, but they become stopping if Player 2 uses only fair strategies. 
This is the main idea behind the notion of stopping under fairness as introduced 
in the following definition. 


Definition 3. A stochastic game G = (V,(V1, V2, Vp), ô) is said to be stopping 
under fairness iff for all strategies mı € Il, T2 € II and verter v € V, it holds 
that Prog?” (OT) =1, where T is the set of terminal vertices of G. 


Checking stopping criteria. This section is devoted to the effective characteriza- 
tion of games that are stopping under fairness. The following lemma states that, 
for every game that is not stopping under fairness, there is a memoryless deter- 
ministic strategy for Player 1 and a fair strategy for Player 2 that witnesses it. 


Lemma 1. Let G = (V,(Vi,V2,Vp),0) be a stochastic game, v € V, and T 
the set of terminal states of G. If Probg', (OT) < 1 for some mı € I and 
T2 € IIS, then, for some memoryless and deterministic strategy n| € HP and 


fair strategy n} € HZ, Probz? (OT) <1. 
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The proof of this lemma follows by noticing that, if ProbG';"* (OT) < 1, there 
must be a finite path that leads with some probability to an aad component not 
containing a terminal state and which is a trap for the fair strategy m2. This part 
of the game enables the construction of a memoryless deterministic strategy for 
Player 1 by ensuring that it follows the same finite path (but skipping loops) 
and that it traps Player 2 in the same end component. 

The next theorem states that checking stopping under fairness in a stochastic 
game G can be reduced to check the stopping criteria in a MDP, which is obtained 
from G by fixing a strategy in Player 2 that selects among the output transitions 
according to a uniform distribution. Thus, this theorem enables a graph solution 
to determine stopping under fairness. 


Theorem 1. Let G = (V,(Vi, V2, Vp), 5) be a stochastic game and T its set of 
terminal states. Consider the Player 2 (memoryless) strategy 7} : V2 > D(V) 
defined by m3(v)(v’) = Oe for all v € V2 and v' € post(v). Then, G is 


stopping under fairness iff Probe’; ma (OT) =1 for everyv E€ V and m, E€ Ih. 


While the “only if” part of the theorem is direct, the “if” part is proved by 
contraposition using Lemma 1. 

Theorem 1 introduces an algorithm to check if the stochastic game G is 
stopping under fairness: transform G into the MDP Gr by fixing mj in G and 
check whether Prob ny (OT) = 1 for all v € V. As a consequence, we have the 
following theorem. 


Theorem 2. Checking whether the stochastic game G is stopping under fairness 
or not is in O(poly(size(G))). 


Alternatively, we can use Theorem 1 to provide a direct algorithm on G and 
avoiding the construction of the intermediate MDP. The main idea is to use a 
modification of the standard pre operator, as shown in the following definition: 


APre ¢(C) = {v E V | 6(v,C) > 0} 
VPre ¢(C) = {v € VaUVp | ô(v, C) > OJ} U{u E€ Vi | Wo'EV : (v, v’) > 0 > v’'EC} 


As usual we consider the transitive closures of these operators denoted Pre} 
and V Pre, respectively. 


Theorem 3. Let G = (V,(Vi, V2, Vp), ô), be a stochastic game and let T be the 
set of its terminal states. Then, (1) Probg,*(OT) = 1 for every mı € Ih and 
T2 € LZ iff v € V \APre}(V \WPre}(T)), and (2) G is stopping under fairness 
iff SPre;(V \VPre;(T)) = 9. 


Determinacy of Stopping Games under Fairness. The determinacy of stochastic 
games with Borel and bounded payoff functions follows from Martin’s results [24]. 
The function rew is unbounded, so Martin’s theorems do not apply to it. In [18], 
the determinacy of a general class of stopping stochastic games (called transient) 
with total rewards is proven. However, note that we restrict Player 2 to only play 
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with fair strategies and hence, the last result does not apply either. In [26] the 
authors classify Player 2’s strategies into proper (those ensuring termination) 
and improper (those prolonging the game indefinitely). For proving determinacy, 
the authors assume that the value of the game for Player 2’s improper strategies 
is oo. It is worth noting that, for proving the results below, we do not make any 
assumption about unfair strategies. In the following we prove that the restriction 
to fair plays does not affect the determinacy of the games. 
Figure 3 shows the dependencies of the saa hs 

lemmas that eventually lead to our main  tem.2 t5 ee problem 
results, namely, Theorem 4, which states m a B 


that the general problem can be limited to Ea l infimum 
only memoryless and deterministic strate- MDF strat. wage eos 
gies, and Theorem 5, which establishes Beima» op. Lem. 6 Lem. 7 
determinacy and the correctness of the algo- Peed. vA ee een 


rithmic solution through the Bellman equa- eT oa aul 


tions. To prove Theorem 4 we use the inter- Bae Sgorithmic 

midiate notion of semi-Markov strategies 

[18] and a first step to this reduction is Fig.3. A roadmap to proving 

presented in Lemma 2. Lemmas 3 and 4 Theorems 4 and 5 

ensure the transient carachteristics of stop- 

ping under fairness problems. They are essential to prove that every possible 

total reward play yields a solution (Lemma 5). Already approaching Theorem 4, 

Lemma 6 states that there is always a minimizing fair strategy that is memo- 

ryless and deterministic, and Lemma 7 helps to reduce the problem from the 

domain of semi-Markov strategies to the domain of memoryless deterministic 

strategies. Using Theorem 4 and Proposition 1, which states that the Bellman 

equations are well behaved in the lattice of solutions, Theorem 5 is finally proved. 
Intuitively, a semi-Markov strategy only takes into account the length of a 

play, the initial state, and the current state to select the next step in the play. 


Definition 4. Let G = (V,(Vi, V2, Ve), ô) be a stochastic game. A strategy ti € 
II, is called semi-Markov if: 1;(vov') = 1;(va'v'), for every v E€ V and ð, ®' € 
V* such that |@| = |ô]. 


Notice that, by fixing an initial state v, a semi-Markov strategy m; can be 


thought of as a sequence of memoryless strategies my)?" m;""17"" ... where m;(v) = 
T” (v) and m(vav’) = rll (v'). The set of all semi-Markov (resp. semi- 


Markov fair) strategies for player i is denoted IT? (resp. HSF). 

The importance of semi-Markov strategies lies in the fact that, when Player 2 
plays a semi-Markov strategy, any Player 1’s strategy can be mimicked by a 
semi-Markov strategy as stated in the following lemma. 


Lemma 2. Let G be a stopping under fairness stochastic game, and let m2 € 
ITS? be a fair and semi-Markov strategy. Then, for any mı € Il, there is a 


* 
a1 ,7Q yy 572 


semi-Markov strategy mt € IT? such that Igy [rew] = Eg") [reu]. 
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Proof (Sketch). The proof follows the arguments of Theorem 4.2.7 in [18] 
adapted to our setting. 

Consider the event O*v’ = {w € Pathsg | wp = v'}, for k > 0. That is, the 
set of runs in which v’ is reached after exactly k steps. We define rY as follows. 
For v’ with Probg',” (O*v’) > 0 and |au'| = k, 


m1 (v')(v") = Probg'y” (ony | Oky’), 


For v’ with Probg';"?(O*v') = 0 and |v'| = k we define m{(v’) to be the 
uniform distebution on post(v’). Notice that aj} is a semi-Markov strategy. We 
prove that 77 is the strategy that satisfies the conclusion of the lemma. For this, 
we first show that Prob¢'; mary) = Probgi;” (©*v’) by induction on k, and 
use it to conclude the folle wines 


oe [rew] = 5 5 Probz? ( (@)r(@y) = 5 5 Prob (O™v')r(v') 
N=0@EVNt1 N=0v/EV 
=> Sy Prong (ON ri) = BEM reu 


N=0v'EV 


In a stopping game, all non-terminal states are transient (a state is transient 
if the expected time that both players spend in it is finite). In fact, [18] defines a 
stopping game with terminal states in T as a transient game, i.e., a game in which 
Des 1 Z oe(VAT)N Probg'} T2 (©) < oo for all strategies mı € I, and m € M. 
Obviously, this aenctality “does not hold in our case since unfair strategies make 
the game dwell infinitely on a set of non-terminal states. Therefore, we prove a 
weaker property in our setting. Roughly speaking, the next lemma states that, 
in games that stop under fairness, non-terminal states are transient, provided 
that the two players play memoryless strategies, and in particular, that Player 2 
plays only fair. 


Lemma 3. Let G = (V,(Vi, V2, Vp), ô) be a stochastic game that is stopping 
under fairness with T being the set of terminal states. Let 7, € IT be a mem- 
oryless strategy for Player 1 and m2 € HX? a memoryless fair strategy for 
Player 2. Then YX; Doer Probg',,* (©) < œ. 


This result can be extended to all the strategies of Player 1. The main idea 
behind the proof is to fix a stationary fair strategy for Player 2 (e.g., a uniform 
distributed strategy). This yields an MDP that stops for every strategy of Player 1, 
and furthermore, it can be seen as a one-player transient game (as defined in [18]). 
Hence, the result follows from Lemma 3 and Theorem 4.2.12 in [18]. 


Lemma 4. Let G be a stochastic game that is stopping under fairness and 
let T be the set of terminal states. In addition, let 7, € I, be a strategy for 
Player 1 and m2 € IIs? be a fair and memoryless strategy for Player 2. Then 


Vn=0 Vaen( (V\T)N Probo *(@ ) < ©. 
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Using the previous lemma, some fairly simple calculations lead to the fact 
that the value of the total accumulated reward payoff game is well-defined for 
any strategy of the players. As a consequence, the value of the game is bounded 
from above for any Player 1’s strategy. This is stated in the next lemma. 


Lemma 5. Let G = (V,(Vi, V2, Vp), 6,7) be a stochastic game that is stopping 


under fairness, mı E€ IT, a strategy for Player 1. Then, for all memoryless fair 
N71 472 


strategy T2 € ITM? for Player 2 and allu E V, igo [rew] < œo. Moreover, for 
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every verter v € V, infr enz Egy [rew] < oo. 


The following lemma is crucial and plays an important role in the rest of 
the paper. Intuitively, it states that, when Player 1 plays with a memoryless 
strategy, Player 2 has an optimal deterministic memoryless fair strategy. This 
lemma is the guarantee of the eventual existence of a minimizing memoryless 
deterministic fair strategy for Player 2 in general. 


Lemma 6. Let G = (V,(Vı, V2, Vp), ð, r) be a stochastic game that is stop- 
ping under fairness and let mı € II be a memoryless strategy for Player 1. 


There exists a deterministic memoryless fair strategy 73 € HMPF such that 
infmenz Ego [rew] = Ig» 7 [reu], for every v € V. 


Proof (Sketch). Though it differs in the details, the proof strategy is inspired 
by the proof of Lemma 10.102 in [5]. We first construct a reduced MDP G7} 


which preserves exactly the optimizing part of the MDP G™. Thus 673 (v, y= 
m (v, v’) if v € Vi U Vp, or v € Vz and a, = r(v) + £w, where, for every 
v € V, ay = infr enz Eg, [rew] (which exists due to Lemma 5). Otherwise, 
6™ (v, v’) = 0. G7} can be proved to be stopping under fairness. 


min min 
Then, the strategy 73 for G7, is constructed as follows. For every v € V, let 


||v|| be the length of the shortest path fragment to some terminal vertex in T in 


the MDP Gia. Define 73(v)(v’) = 1 for some v’ such that d73,(v,v’) = 1 and 
lloll = ||v’|| + 1. By definition, 73 is memoryless. We prove first that 73 yields 


the optimal solution of G™ by showing that the vector (£v)vev (i.e., the optimal 
values of G7!) is a solution to the set of equations for expected rewards of the 
Markov chain G™'’™2. Being the solution unique, we have that x, = rew 


5 ell 
GTS y 
for all v € V and hence the optimality of 75. To conclude the proof we show by 
contradiction that 73 is fair. 


As already noted, semi-Markov strategies can be thought of as sequences of 
memoryless strategies. The next lemma uses this fact to show that, when Player 2 
plays a memoryless and fair strategy, semi-Markov strategies do not improve the 
value that Player 1 can obtain via memoryless deterministic strategies. The proof 
of the following lemma adapts the ideas of Theorem 4.2.9 in [18] to our games. 


Lemma 7. For any stochastic game G that is stopping under fairness, and ver- 
tex v, it holds that: 


sup inf Eş [rew] = sup inf 


mi E118 noc IMPF m1 € TIMP mo € TIMPF 
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Using the previous lemma, we can conclude that the problem of finding 
sup; em, Mfr enz E7 [rew], for any vertex v, can be solve by only focusing on 
deterministic memoryless strategies as stated and proved in the following theorem. 


Theorem 4. For any stochastic game G that is stopping under fairness we have: 


sup inf Eg [rew] = sup inf Egu [reu] 
mE m2E TS : T EMP ngc MPF ! 


Proof. First, we prove that the left-hand term is less than or equal to the right- 
hand one: 


sup inf Eg [rew] < sup inf Eg” [reu] 
mE m2€lIg , nı EM mE HPF i 
< sup inf Egy” [rew] 
s MDF ý 
mw, E17 m2 E113 
< sup inf Egu” [rew]. 


mi ELM? no€ IMPF 


The first inequality follows from MPF C HZ , the second inequality is due to 
Lemma 2 and the fact that memoryless strategies are semi-Markov, and the last 
inequality is obtained by applying Lemma 7. 

To prove the other inequality, we calculate: 


sup inf EGY ™[ 


rew] = sup inf Eç,” [rew] 
mi ELM nze MDF 


m1 € TMP m2 € TF 


, 


< sup inf Egh,” [rew]. 
mE mac ~’ 


The first equality is a consequence of Lemma 6 and the second inequality is due 
to properties of suprema. 


The standard technique to prove the determinacy of stopping games is by 
showing that the Bellman operator 


r(v) + X vepos) E vfo’) if v € Vp\T 
max{r(v) + f(v’) |v € post(v)} ifv € V1 \T, 
min{r(v) + f(v’) |v € post(v)} ifv Ee Ve \T, 
0 ifv eT. 


I(f)(v) = 


has a unique fixpoint. However, in the case of games stopping under fairness, I" 
has several fixpoints as shown by the next example. 


Example 1. Consider the (one-player) O ale © 0 
game in Fig.4, where Player 1’s vertices Ž 

are drawn as boxes, Player 2’s vertices 

are drawn as diamonds, and probabilis- o 


kál 


tic vertices are depicted as circles. Note 
that, in that game, the greatest fixpoint __ a f 
is (1,1,1,0). Yet, (0.5,0.5,1,0) is also a Fig. 4. A game with infinite fixpoints 
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fixpoint as I°(0.5,0.5,1,0) = (0.5,0.5,1,0). In fact, the Bellman operator for 
this game has infinite fixpoints: any f of the form (x, x,1,0) with x € [0,1]. 

Thus, the standard approach cannot be used here. Instead, we use the greatest 
fixpoint for proving determinacy, but this cannot be done directly on T. A main dif- 
ficulty is that the Knaster-Tarski theorem does not apply for T since (RY , <) is not 
a complete lattice. Using instead the extended reals ((RU{oo})’) is not a solution, 
as in some cases the greatest fixpoint will assign co to some vertices (e.g., (00, 00, 0) 
would be the greatest fixpoint in the Markov chain of Fig.5). One possible app- 
roach is to approximate the greatest fixpoint from an estimated upper bound via 
value iteration. Unfortunately, there may not be an order relation between f and 
I(f) and it may turn out that for some vertex v, I'(f)(v) > f(v) before converging 
to the fixpoint. This is shown in the next example. 


Example 2. Consider the game depicted in Fig.5. The (unique) fixpoint in this 
case is (100,90,0). Observe that, we have that I(120,100,0) = (110,108, 0), 
thus the value at vı increases after one iteration. Several iterations are needed 
then to reach the greatest fixpoint. Thus, in general, starting value iteration 
from an estimated upper bound does not guarantee a monotone convergence to 
the greatest fixpoint. 

We overcome the aforementioned issues by mal 1/10 
using a modified version of I. Roughly speaking, N Fr S 
we modify the Bellman operator in such a way 
that it operates over a complete lattice. 

Notice that, by Lemma 5, the value Eg” [reu] 
is finite for every stopping game under fairness 
G and strategies mı € HMP, mo € IMPF. Furthermore, because the number 
of deterministic memoryless strategies is finite, we also have that the number 


max{inf r ¢7éor SUPr ermo Eg,’ [rew] | v € V} is well defined. From now on, 


Fig. 5. A game where value 
iteration may go up 


fix a number U > max{inf r, e mMPF SUPr, erup EG’, [rew] | v € V}. We define a 
modified Bellman operator T™ : [0, U]Y — [0, U]” as follows. 


min (r(v) + Dd otepont(ey Olt, v) fo’), U ) if v € Vp\T 
min (max{r(v) + f(v’) | v’ € post(v)}, U) ifvev\T, 
min (min{r(v) + f(v’) | v’ € post(v)}, U) ifvev\T, 
0 ifv € T. 


I™(f)(v) = 


Note that I’* is monotone, which can be proven by observing that maxima, 
minima and convex combinations are all monotone operators. Furthermore, D ™* 
is also Scott continuous (it preserves suprema of directed sets), this can be proven 
similarly as in [10]. The following proposition formalizes these properties. 


Proposition 1. I'* is monotone and Scott-continuous. 


Note that ({0,U]”,<) is a complete lattice. Thus by Proposition 1 and the 
Knaster-Tarski theorem [15], the (non-empty) set of fixed points of I* forms a 
complete lattice, and the greatest fixpoint of the operator can be approximated 
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by successive applications of I™* to the top element (i.e., U) [15]. In the following 
we denote by vI™ the greatest fixed point of I*. 

The following theorem states that games restricted to fair strategies on 
Player 2 are determinate. Furthermore, the value of the game is given by the 
greatest fixpoint of I*. 


Theorem 5. Let G be a stochastic game that is stopping under fairness. It holds 
that: 


inf sup Egi, [rew] = sup inf Egi” [rew] = vIr* (v) 
mE mı €M i my EM, moe TS , 


Proof. First, note that inf, «quer SUPz, ermo EG';”*[reu] is a fixed point of I. 


Thus we have: 


sup inf Eg [rew] < inf sup EG," [rew] 
mE macl] m€ mel ~’ 
< inf sup Eg [rew] < vI™*(v) 


n€ TIMPF 7 EMP 


for any v. The first inequality is a standard property of suprema and infima [21], 
the second inequality holds because MPF C I7 and standard properties of 
MDPs: by fixing a deterministic memoryless fair strategy for Player 2 we obtain 
a transient MDP, the optimal strategy for Player 1 in this MDP is obtained 
via a deterministic memoryless strategy [20]. The last inequality holds because 


: PT1 T2 : : * 
inf rse MDF SUPr e nM Egi,” [rew] is a fixpoint of I*. 


Rest to prove that sup,,¢77, inf,,eng Eg, [rew] > vI*(v). Note that, if 


there is m, € I, such that infr enz Eg, [rew] > vI*(v) the property above 
follows by properties of supremum. Consider the strategy aj defined as follows: 
mi(v) € argmax{vI™(v') + r(v) | v’ € post(v)}. Note that a} is a memoryless 
and deterministic strategy. For any memoryless, deterministic and fair strategy 
ma € TIMP? we have vI*(v) < ge [rew] (by definition of I). Thus, vI*(v) < 


* 
aT] T2 


i : = ; ; PTL T2 
inf r,e mMDF g'o [rew] and then: vr*(v) < SUP py e MP inf 


m2 € IT MDF igw [rew]. 
Finally, by Theorem 4 we get: vI™ (v) < sup,,e7, Dfm enz Egy [reu]. 


Considerations for an algorithmic solution. Value iteration [9] has been used 
to compute maximum/minimum expected accumulated reward in MDPs, e.g., 
in the PRISM model checker. Usually, the value is computed by approximating 
the least fixpoint from below using the Bellman equations [9]. In [6], the authors 
propose to approach these values from both a lower and an upper bound (known 
as interval iteration [19]). To do so, [6] shows a technique for computing upper 
bounds for the expected total rewards for MDPs. This approach is based on the 
fact that, given a stopping MDP G, EG", [rew] = Dower) So’ (v) * rw’), where 
R(v) denotes the set of reachable states from v, and ¢7!(v’) denotes the expected 
number of times to visit v’ in the Markov chain induced by mı when starting at v. 
[6] describes how to compute a value Ç} (v), such that ¢3(v’) > sup,,em, Go (v’). 
Thus, X yero) C(u’) *r(v’) gives an upper bound for sup, EG',,[rew]. Our algo- 
rithm uses these ideas to provide an upper bound for two-player games. Roughly 
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speaking, the above defined functional [* presents a form of Bellman equa- 
tions that enables a value iteration algorithm to solve these games. We need 
to start with some value vector larger than such a fixpoint. Given a stopping 
under fairness game, we fix a (memoryless) fair strategy for the environment, 
thus obtaining an MDP. We then use the techniques described above to find an 
upper bound for this MDP, which 

in turn is an upper bound in Algorithm 1 Algorithm for computing 
the original game. The obvious GFP 

fair strategy to use is the one Require: G is a stopping under fairness game 
based on the uniform distribu- 5 — Nv, v’).(v € ViUVe) 2 5(v,v’) : ere 
tion (as in Theorem 1). This idea g, (V, (Vi, Ø, VaUVe)), ô’) 

is described in Algorithm 1. It wih a NU.: Freha C(u’) * r(v’) 

is worth noting that, instead of repeat 


using a unique upper bound for cea 

every vertex (as in the defini- x’ — I* (x) 
tion of I’*), the algorithm may until ||x — 2’ || < € 
use a different upper bound for return 2’ 


each component of the value vec- 

tor, this improves the number of iterations performed by the algorithm. We 
have implemented Algorithm 1 as a prototype embedded in the PRISM-games 
toolset [22], as described in the next section. 


5 Experimental Validation 


In order to evaluate the viability of our approach we have extended the model 
checker PRISM [22,23] with an operator to compute the expected rewards for 
stochastic games that stop under fairness. The prototype also allows one to 
check whether a game is stopping under fairness. The tool takes as input a 
model describing the game in PRISM notation and returns as output the optimal 
expected total reward for a given initial state as well as the synthesized optimal 
controller strategy (under fairness assumptions). The experimental evaluation 
shows that our approach can cope with non-trivial case studies. For computing 
these values we set a relative error of at most € = 107°. 


Roborta vs. the Fair Light. Table 1 shows the results of the example introduced 
in Sect. 2 for multiple configurations. We considered three variants of the case 
study: version A (the light does not fail), version B (the light can only fail when 
trying to signal a green light), and version C (the light can fail when trying to 
signal any kind of light). We assumed that, when Roborta fails, she cannot move 
(this is beneficial to Roborta since she can re-collect the reward); when the light 
fails, the robot can freely move into any allowed direction. The grid configuration 
(movement restrictions and rewards) are randomly generated. For each setting, 
Table 1 describes the results for three different scenarios generated starting at 
different seeds. For the grid configuration shown in Sect. 2 with parameters 
P=0.1 and Q = 0, the tool derived the optimal strategy depicted in Fig. 2 and 
reports an expected total reward of 5.55. 
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Autonomous UAV vs. Human Operator. We adapted the case study analyzed in 
[17]. A remotely controlled Unmanned Aerial Vehicle (UAV) is used to perform 
intelligence, surveillance, and reconnaissance (ISR) missions over a road net- 
work. The UAV performs piloting functions autonomously (selecting a path to 
fly between waypoints). The human operator (environment) controls the onboard 
sensor to capture imagery at a waypoint as well (4,1,2) 4,1,1) 
as the piloting functions on certain waypoints 
(called checkpoints). Note that an operator can 
continuously try to get a better image by mak- 
ing the UAV loiter around a certain waypoint, 
this may lead to an unfair behavior. Each 
successful capture from an unvisited waypoint 
grants a reward. Figure 6 shows an example of 
road network consisting of six surveillance way- 
points labeled wo, w2, ..., W5, the edges repre- Fig. 6. UAV Network for ISR mis- 
sent connecting paths, a red-dashed line means sions adapted from [17] 
that the path is dangerous enough to make the 
UAV stop working with probability 1, while on any other path, this probability is 
S. Checkpoints are depicted as pink nodes, therein the operator can still delegate 
the piloting task to the UAV with probability D. Each node is annotated with 
three possible rewards. For instance, for S$ = 0.3 and D = 0.5 and the leftmost 
reward values in each triple, the synthesized strategy for the UAV tries to follow 
the optimal circuit wo, w1, W2, W3, W4, W5. While for the middle and rightmost 
reward values, the optimal circuits to follow are wo, ws, Wo, W1, W2, W3, W4 and 
wo, W5, W4, W1, W2, W3, respectively. Table2 shows the results obtained for this 
game for several randomly generated road networks. 

Tables 1 and 2 do not report the time taken to compute the results, but in 
all cases the output was computed in less than 400s.All the experiments were 
run on a MacBook Air with Intel Core i5 at 1.3 GHz and 4 Gb of RAM. 


(1,1,1) 


(1,1,1) (1,3,3) 


6 Related Work 


Stochastic games with payoff functions have been extensively investigated in 
the literature. In [18], several results are presented about transient games, a 
generalized version of stopping stochastic games with total reward payoff. In 
transient games, both players possess optimal (memoryless and deterministic) 
strategies. Most importantly, the games are determined and their value can be 
computed as the least fixed point of a set of equations. Most of these results are 
based on the fact that the I functional (see Sect. 4) for transient games has a 
unique fixed point. Notice that in this paper we have dealt with games that are 
stopping only under fairness assumptions. Thus, the corresponding functional 
may have several fixed points. Hence, the main results presented in [18] do not 
apply to our setting. 

[12] and [28] present logical frameworks for the verification and synthesis of 
systems. While [12] provides a solution for a probabilistic branching temporal 
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Table 1. Results for Roborta vs. Light Game. First column describes the grid size. 
Second column indicates the fault probability for the robot (P) and light (Q). The 
other columns describe the size of the model, the expected total reward for the opti- 
mal strategy, and the number of iterations performed, respectively, for three different 
randomly generated grid configurations. 


Vidon Fault prob. Size (States/Transitions) Opt. Expect. Total Rew. Iterations 
P Q s. 1 s. 2 s. 3 s. 1 s. 2 s. 3 s.l|/s.2|s.3 
A loaf — | st.1448 | st. 1418 | st. 1421 | 26.66 | 31.11 | 27.77 |711 | 681 | 252 
60x8 j0.5| — tr. 3220 | tr. 3112 | tr. 3132 48 56 50 |2253|2225| 475 
A [01| — | st. 5686 st. 5716 | st. 5716 | 62.22 | 55.55 | 48.88 | 687 |700 | 685 
120x16/0.5| — | tr. 12586 | tr. 12658 | tr. 12722| 112 100 88 |2231 |2265 | 2229 
o1 ® 42.6 | 44.59 | 42.23 | 479 | 335 | 388 
B 0.5 | st. 1928 | st. 1888 | st. 1892 | 130.14 | 127.7 | 136.22 | 772 689 | 824 
60x8 os|_2: tr. 5952 | tr. 5746 | tr. 5785 | 76.68 | 80.26 | 76.02 | 873 | 764 | 909 
0.5 234.26 | 229.87 | 245.21 1263/1139 1341 
PAE! 91.19 | 87.27 | 80.07 | 538 | 544 | 616 
B 0.5 | st. 7576 | st. 7616 | st. 7616 | 281.83 | 281.48 | 265.33 | 1076 1118 1252 
a Ee 0.1 | tr. 23266 | tr. 23400 | tr. 23528 | 164.15 | 157.1 | 144.13 |1147 1223 |1373 
0.5 507.30 | 506.67 | 477.6 |1850 1865/2088 
012: 46.32 | 47.07 | 44.87 | 379 | 336 | 390 
c 0.5 | st. 1928 | st. 1888 | st. 1892 | 143.35 | 146.41 | 153.98 | 742 | 658 | 774 
60x8 eee tr. 6432 | tr. 6216 | tr. 6256 | 83.37 | 84.73 | 80.77 | 879 769 | 914 
0.5 258.04 | 263.53 | 277.17 |1202 |1076 | 1246 
gil ® 98.25 | 93.74 | 88.33 | 533 | 544 | 606 
C 0.5 | st. 7576 | st. 7616 | st. 7616 | 321.18 | 317.61 | 311.62 1002 1068 1188 
Lagai 0.1 | tr. 25156 | tr. 25300 | tr. 25428 | 176.85 | 168.73 | 158.99 |1147 | 1227 1365 
0.5 578.13 | 571.71 | 560.92 |1700 |1760 | 1956 


Table 2. Results for the UAV vs. Operator Game. First column describes the number of 
waypoints used. Second column indicates probability of delegation (D), and the proba- 
bility that the UAV stops working (S). The other columns show the size of the model, the 
expected total reward for the optimal strategy, and the number of iterations performed, 
respectively, for three different randomly generated roadmap configurations. 


Version Prob. Size(States/Transitions) Opt. Expect. Total Rew. Iterations 

D| Ss s. 1 s. 2 s.3 s. 1 s. 2 s.3 s.l}/s.2/s.3 

0.1 0.05 16.72 12.47 13.14 | 142 | 248] 22 

UAV 0.1 | st. 213 st. 508 st. 136 15.73 11.15 12.63 | 73 | 188] 22 
6w. 0.5 0.05) tr. 504 | tr. 1368 | tr. 312 20.49 | 12.77 | 17.05 | 103 |133 | 22 
0.1 18.87 | 11.67 | 15.95 | 55 | 70 | 22 

0.1 0.05 17.88 | 40.59 24.6 |407 | 332 | 779 

UAV 0.1 | st. 2177 | st. 3591 | st. 1426 TREL 34.3 21.48 | 280 | 233 | 437 
8w. 0.5 0.05| tr. 5959 | tr. 9991 | tr. 3604 26 42.21 30.87 |128 | 214 | 257 
0.1 23.44 36.08 24.72 | 116 | 113 | 194 

04 0.05 39.76 28.7 19.76 |256 | 377 | 356 

UAV 0.1 | st. 6631 | st. 5072 | st. 8272 | 35.43 | 23.36 16.2 |136 | 260 | 154 
10w. 0.5 | 0:05] *: 17306 | tr. 13052 | tr. 24376 | 42.13 | 30.77 | 24.56 |250 |247 | 292 
0.1 37.11 26.08 19.27 | 130 | 134 | 151 
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logic extended with expected total, discounted, and average reward objective 
functions, [28] does the same in a similar extension of a probabilistic linear 
temporal logic. Both frameworks were implemented in the tool PRISM [22, 23]. 
Although a vast class of properties can be expressed in these frameworks, none of 
them are presented under fair environments. In fact, these works are on stochastic 
multiplayer games in which each player is treated equally. 

However, of all the operators in [12,22,28], ((p1)) Rmax=?[F°°T] is the closest 
to our proposal and it deserves a deeper comparison. ((p1)) Rmax=? |F T] returns 
the expected accumulated reward until reaching T in which infinite plays receive 
an infinite value [12,22]. PRISM approximates this value by computing a great- 
est fixpoint. It uses a two-phase algorithm to do so: (i) it first replaces zero 
rewards with a small positive value and applies value iteration on this modifi- 
cation to get an estimated upper bound, and (ii) this upper bound is used to 
start another value iteration process aimed to compute the greatest fixpoint. 
This heuristic could return erroneous 


2 0 1 

approximations of the greatest fixpoint. O) O3 
0 0 0 0 
v P | < 


We illustrate this with a simple exam- |” 
ple. Consider the game depicted in Fig. 7, 

For any p, the value of the greatest fix- 
point in vertex vo is 2. However, by tak- 

ing p = 0.99 and tolerance « = 1076, 
PRISM returns a value close to 39608. Fig-7- A simple two-player game: only 
This occurs because PRISM changes 0 to probability: leso than Lateshow 

the value 0.02, which results in an extremely large upper bound. Obviously, it 
also returns an incorrect strategy for vertex vo. We have checked this example 
with our tool, and it returned the correct value for vertex vo in 2 iterations, 
regardless of the value of p. We have chosen a large value for p to make the 
difference noticeable. Small values also may produce different values in, e.g., v1 
only that it could be blamed on approximation errors. We have also run this 
operator on our case studies and observed small differences in many of them 
(particularly on Roborta) that get larger when the fault probabilities get larger 
as well. 

Stochastic shortest path games [26] are two-player stochastic games with (neg- 
ative or positive) rewards in which the minimizer’s strategies are classified into 
proper and improper, proper strategies are those ensuring termination. As proven 
n [26], these games are determined, and both players posses memoryless opti- 
mal strategies. To prove these results, the authors assume that the expected 
game value for improper strategies is oo, this ensures that the corresponding 
functional is a contraction and thus it has a unique fixpoint. In contrast, we 
restrict ourselves to non-negative rewards but we do not make any assumptions 
over unfair strategies, as mentioned above the corresponding functional for our 
games may have several fixpoints. Furthermore, we proved that the value of the 
game is given by the greatest fixpoint of I’. In recent years, several authors have 
investigated stochastic shortest path problems for MDPs (i.e., one-player games), 
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where the assumption over improper strategies is relaxed (e.g., [3]); to the best 
of our knowledge, these results have not be extended to two-player games. 

In [4] the authors tackle the problem of synthesizing a controller that maxi- 
mizes the probability of satisfying an LTL property. Fairness strategies are used to 
reduce this problem to the synthesis of a controller maximizing a PCTL property 
over a product game. However, this article does not address expected rewards 
and game determinacy under fairness assumptions. 

Interestingly, in [2] the authors consider the problem of winning a (non- 
stochastic) two-player games with fairness assumptions over the environment. 
The objective of the system is to guarantee an w-regular property. The authors 
show that winning in these games is equivalent to almost-sure winning in a 
Markov decision process. It must be noted that this work only considers non- 
stochastic games. Furthermore, payoff functions are not considered therein. 

Finally, we remark that in qualitative w-regular stochastic games [1] strong 
fairness can easily be consider by properly transforming the original w-regular 
objective. Notably, in this setting, [8] shows that qualitative Rabin conditions 
on stochastic games can be solved by translating this problem into a two-player 
(non-stochastic) game with the same Rabin condition under extreme fairness 
following a somewhat inverse direction to that we used to prove Theorem 2. 


7 Concluding Remarks 


In this paper, we have investigated the properties of stochastic games with total 
reward payoff under the assumption that the minimizer (i.e., the environment) 
plays only with fair strategies. We have shown that, in this scenario, determinacy 
is preserved and both players have optimal memoryless and deterministic strate- 
gies; furthermore, the value of the game can be calculated by approximating a 
greatest fixed point of a Bellman operator. We have only considered non-negative 
rewards in this paper. A possible way of extending the results presented here 
to games with negative rewards is to adapt the techniques presented in [3] for 
MDPs with negative costs, we leave this as a further work. 

In order to show the applicability of our technique, we have presented two 
examples of applications and an experimental validation over diverse instances of 
these case studies using our prototype tool. We believe that fairness assumptions 
allow one to consider more realistic behavior of the environment. 

We have not investigated other common payoff functions such as discounted 
payoff or limiting-average payoff. A benefit of these classes of functions is that 
the value of games are well-defined even when the games are not stopping. At 
first sight, the notion of fairness is little relevant for games with discounted 
payoff, since these kinds of payoff functions take most of their value from the 
initial parts of runs. For limiting-average the situation is different, and fairness 
assumptions may be relevant as they could change the value of games, we leave 
this as further work. 
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Abstract. In this paper, we present the first fully-automated expected 
amortised cost analysis of self-adjusting data structures, that is, of ran- 
domised splay trees, randomised splay heaps and randomised meldable 
heaps, which so far have only (semi-)manually been analysed in the liter- 
ature. Our analysis is stated as a type-and-effect system for a first-order 
functional programming language with support for sampling over discrete 
distributions, non-deterministic choice and a ticking operator. The lat- 
ter allows for the specification of fine-grained cost models. We state two 
soundness theorems based on two different—but strongly related—typing 
rules of ticking, which account differently for the cost of non-terminating 
computations. Finally we provide a prototype implementation able to 
fully automatically analyse the aforementioned case studies. 


Keywords: amortised cost analysis - functional programming - 
probabilistic data structures - automation - constraint solving 


1 Introduction 


Probabilistic variants of well-known computational models such as automata, 
Turing machines or the -calculus have been studied since the early days of com- 
puter science (see [16,17,25] for early references). One of the main reasons for 
considering probabilistic models is that they often allow for the design of more 
efficient algorithms than their deterministic counterparts (see e.g. [6,23,25]). 
Another avenue for the design of efficient algorithms has been opened up by 
Sleator and Tarjan [34,36] with their introduction of the notion of amortised 
complexity. Here, the cost of a single data structure operation is not analysed 
in isolation but as part of a sequence of data structure operations. This allows 
for the design of algorithms where the cost of an expensive operation is aver- 
aged out over multiple operations and results in a good overall worst-case cost. 
Both methodologies— probabilistic programming and amortised complexity—can 
© The Author(s) 2022 
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be combined for the design of even more efficient algorithms, as for example in 
randomized splay trees [1], where a rotation in the splaying operation is only 
performed with some probability (which improves the overall performance by 
skipping some rotations while still guaranteeing that enough rotations are per- 
formed). 

In this paper, we present the first fully-automated expected amortised cost anal- 
ysis of probabilistic data structures, that is, of randomised splay trees, randomised 
splay heaps, randomised meldable heaps and a randomised analysis of a binary 
search tree. These data structures have so far only (semi-)manually been anal- 
ysed in the literature. Our analysis is based on a novel type-and-effect system, 
which constitutes a generalisation of the type system studied in [14, 18] to the non- 
deterministic and probabilistic setting, as well as an extension of the type system 
introduced in [37] to sublinear bounds and non-determinism. We provide a proto- 
type implementation that is able to fully automatically analyse the case studies 
mentioned above. We summarise here the main contributions of our article: (i) 
We consider a first-order functional programming language with support for sam- 
pling over discrete distributions, non-deterministic choice and a ticking operator, 
which allows for the specification of fine-grained cost models. (ii) We introduce 
compact small-step as well as big-step semantics for our programming language. 
These semantics are equivalent wrt. the obtained normal forms (i.e., the result- 
ing probability distributions) but differ wrt. the cost assigned to non-terminating 
computations. (iii) Based on [14,18], we develop a novel type-and-effect system 
that strictly generalises the prior approaches from the literature. (iv) We state two 
soundness theorems (see Sect. 5.3) based on two different—but strongly related— 
typing rules of ticking. The two soundness theorems are stated wrt. the small- 
step resp. big-step semantics because these semantics precisely correspond to the 
respective ticking rule. The more restrictive ticking rule can be used to establish 
(positive) almost sure termination (AST), while the more permissive ticking rule 
supports the analysis of a larger set of programs (which can be very useful in case 
termination is not required or can be established by other means); in fact, the more 
permissive ticking rule is essential for the precise cost analysis of randomised splay 
trees. We note that the two ticking rules and corresponding soundness theorems do 
not depend on the details of the type-and-effect system, and we believe that they 
will be of independent interest (e.g., when adapting the framework of this paper to 
other benchmarks and cost functions). (v) Our prototype implementation ATLAS 
strictly extends the earlier version reported on in [18], and all our earlier evaluation 
results can be replicated (and sometimes improved). 

With our implementation and the obtained experimental results we make 
two contributions to the complexity analysis of data structures: 


1. We automatically infer bounds on the expected amortised cost, which could 
previously only be obtained by sophisticated pen-and-paper proofs. In particu- 
lar, we verify that the amortised costs of randomised variants of self-adjusting 
data structures improve upon their non-randomised variants. In Table1 we 
state the expected cost of the randomised data structures considered and 
their deterministic counterparts; the benchmarks are detailed in Sect. 2. 
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Table 1. Expected Amortised Cost of Randomised Data Structures. We also state the 
deterministic counterparts considered in [18] for comparison. 


probabilistic : deterministic [18] 
Splay Tree 
insert 3/4 loga(|t|) + 3/4 loga(|t| +1) ; 2log,(|t|) + 3/2 
delete 9/8 loga (|t|) ; 5/2 logs (|t|) + 3 
splay 9/s logs (ltl) _3/21og3(lt|) 
Splay Heap 
a z eni iei ee aa 
delete min  3/4log,(|h|) : logs (hI) 
Meldable Heap 
ee a ETE E E 
delete min 2log,(|h|) : not applicable 
meld _1og3([ħa |) + loga(Ih2]) 
Coin Search Tree 
Pe : Goa Bee Stone renee iene EN 
delete 8/2 logs (|t|) + 1 i not applicable 


delete_max 3/2log(|t|) 


2. We establish a novel approach to the expected cost analysis of data structures. 
Our research has been greatly motivated by the detailed study of Albers et 
al. in [1] of the expected amortised costs of randomised splaying. While [1] 
requires a sophisticated pen-and-paper analysis, our approach allows us to 
fully-automatically compare the effect of different rotation probabilities on 
the expected cost (see Table 2 of Sect. 6). 


Related Work. The generalisation of the model of computation and the study 
of the expected resource usage of probabilistic programs has recently received 
increased attention (see e.g. [2,4,5,7,10,11,15,21,22,24,27,37,38]). We focus on 
related work concerned with automations of expected cost analysis of determin- 
istic or non-deterministic, probabilistic programs—imperative or functional. (A 
probabilistic program is called non-deterministic, if it additionally makes use of 
non-deterministic choice.) 

In recent years the automation of expected cost analysis of probabilistic data 
structures or programs has gained momentum, cf. [2-5, 22,24, 27,37,38]. Notably, 
the Absynth prototype by [27], implement Kaminski’s ert-calculus, cf. [15] for 
reasoning about expected costs. Avanzini et al. [5] generalise the ert-calculus to 
an expected cost transformer and introduce the tool eco-imp, which provides a 
modular and thus a more efficient and scalable alternative for non-deterministic, 
probabilistic programs. In comparison to these works, we base our analysis on 
a dedicated type system finetuned to express sublinear bounds; further our pro- 
totype implementation ATLAS derives bounds on the expected amortised costs. 
Neither is supported by Absynth or eco-imp. 

Martingale based techniques have been implemented, e.g., by Peixin Wang 
et al. [38]. Related results have been reported by Moosbrugger et al. [24]. Meyer 
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et al. [22] provide an extension of the KoAT tool, generalising the concept of alter- 
nating size and runtime analysis to probabilistic programs. Again, these innova- 
tive tools are not suited to the benchmarks considered in our work. With respect 
to probabilistic functional programs, Di Wang et al. [37] provided the only prior 
expected cost analysis of (deterministic) probabilistic programs; this work is most 
closely related to our contributions. Indeed, our typing rule (ite : coin) stems 
from [37] and the soundness proof wrt. the big-step semantics is conceptually simi- 
lar. Nevertheless, our contributions strictly generalise their results. First, our core 
language is based on a simpler semantics, giving rise to cleaner formulations of 
our soundness theorems. Second, our type-and-effect provides two different typing 
rules for ticking, a fact we can capitalise on in additional strength of our prototype 
implementation. Finally, our amortised analysis allows for logarithmic potential 
functions. 

A bulk of research concentrates on specific forms of martingales or Lyapunov 
ranking functions. All these works, however, are somewhat orthogonal to our 
contributions, as foremostly termination (i.e. AST or PAST) is studied, rather 
than computational complexity. Still these approaches can be partially suited to 
a variety of quantitative program properties, see [35] for an overview, but are 
incomparable in strength to the results established here. 


Structure. In the next section, we provide a bird’s eye view on our approach. 
Sections 3 and 4 detail the core probabilistic language employed, as well as its 
small- and big-step semantics. In Sect.5 we introduce the novel type-and-effect 
system formally and state soundness of the system wrt. the respective semantics. 
In Sect. 6 we present evaluation results of our prototype implementation ATLAS. 
Finally, we conclude in Sect. 7. All proofs, part of the benchmarks and the source 
codes are given in [19]. 


2 Overview of Our Approach and Results 


In this section, we first sketch our approach on an introductory example and 
then detail the benchmarks and results depicted in Table 1 in the Introduction. 


2.1 Introductory Example 


Consider the definition of the function descend, depicted in Fig. 1. The expected 
amortised complexity of descend is log,(|t|), where |t| denotes the size of a tree 
t (defined as the number of leaves of the tree).' Our analysis is set up in terms 
of template potential functions with unknown coefficients, which will be instan- 
tiated by our analysis. Following [14,18], our potential functions are composed of 
two types of resource functions, which can express logarithmic amortised cost: For 
a sequence of n trees t1, ...,tn and coefficients a; E€ N,b € Z, with > ai +b 2 


1 An amortised analysis may always default to a wort-case analysis. In particular the 
analysis of descend in this section can be considered as a worst-case analysis. However, 
we use the example to illustrate the general setup of our amortised analysis. 
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1 descend t = match t with 

2 | leaf — leaf 

3 | node 1 a r + if coin 1/2 Denotes p = 1/2, the default which could be omitted. 
4 then let xl = (descend yr in node xl a r The symbol v denotes a tick. 

5 else let xr = (descend r)“ in node 1 a xr 


Fig. 1. descend function 


0, the resource function pia, ,...,an,b) (t1 <- -> tn) logy (a1 - ltal + +++ + an - ltn] + 8) 
denotes the logarithm of a linear combination of the sizes of the trees. The resource 
function rk(t), which is a variant of Schoenmakers’ potential, cf. [28,31,32], is 
inductively defined as (i) rk(leaf) := 1; (ii) rk(nodel dr) := rk(l) + loga (|l) + 
logs (|r|) + rk(r), where l, r are the left resp. right child of the tree node l dr, and d 
is some data element that is ignored by the resource function. (We note that rk(t) 
is not needed for the analysis of descend but is needed for more involved bench- 
marks, e.g. randomised splay trees.) With these resource functions at hand, our 
analysis introduces the coefficients qx, 91,0), 9(0,2)> Ve qao) o,2) and employs 
the following Ansatz:? 


dx + rk(t) + qa ,0) © Pao) (t) + 90,2) © P(0,2) (t) 2 Cdescena(t) 
+q, rk(descend t) + qao) * P(1,0) (descend t) + qo,2) ` P(0,2) (descend t). 


Here, Cgescena(t) denotes the expected cost of executing descend on tree t, where 
the cost is given by the ticks as indicated in the source code (each tick accounts 
for a recursive call). The result of our analysis will be an instantiation of the 
coefficients, returning q(1,9) = 1 and zero for all other coefficients, which allows 
to directly read off the logarithmic bound log,(|t|) of descend. 

Our analysis is formulated as a type-and-effect system, introducing the above 
template potential functions for every subexpression of the program under anal- 
ysis. The typing rules of our system give rise to a constraint system over the 
unknown coefficients that capture the relationship between the potential func- 
tions of the subexpressions of the program. Solving the constraint system then 
gives a valid instantiation of the potential function coefficients. Our type-and- 
effect system constitutes a generalisation of the type system studied in [14,18] 
to the non-deterministic and probabilistic setting, as well as an extension of the 
type system introduced in [37] to sublinear bounds and non-determinism. 

In the following, we survey our type-and-effect system by means of exam- 
ple descend. A partial type derivation is given in Fig. 2. For brevity, type judge- 
ments and the type rules are presented in a simplified form. In particular, we 
restrict our attention to tree types, denoted as T. This omission is inessential to 
the actual complexity analysis. For the full set of rules see [19]. We now discuss 
this type derivation step by step. 

Let e denote the body of the function definition of descend, cf. Fig. 1. 
Our automated analysis infers an annotated type by verifying that the type 


? For ease of presentation, we elide the underlying semantics for now and simply write 
“descend t” for the resulting tree t’, obtained after evaluating descend t. 
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descend: T|Q > T|Q’ 
(app) 
I: T|Qs F descend 1:T|Qe i 
z (tick : now) 
l:T|Q4 F (descend 1)“ :T|Q6 xı:T,r:T|Q7 F node zı a r:T|Q’ (let) 
z e 
1:T,r:T|Q3 HF let xı = (descend 1)“ in node zı a r:T|Q' 
l:T,r:T|Q2 H if coin 1/2 then ez else e3:T|Q’ w 
w 
l:T,r:T|Qı F if coin 1/2 then ez else e3: T|Q’ 
t:T|Q F match t withlleaf —> leaf |node lar > e1:T|Q’ 


(ite : coin) 


(match) 


Fig. 2. Partial Type Derivation for Function descend 


judgement t:T|Q F e:T|Q is derivable. Types are decorated with annota- 
tions Q := |q, 40,0): 4(0,2)] and Q’ := [a> da0)» (0,2 employed to express 
the potential carried by the arguments to descend and its results. Annotations 
fix the coefficients of the resource functions in the corresponding potential func- 
tions, e.g., (i) O(t: T|Q) := q»: rk(t) + qa,0) © Pa,0) (t) + 40,2) * P(o,2)(t) and (ii) 
Be: TIQ") = qf ` rkle) + dfa o) * Pa.o)(€) + Goa) * Po,2)(6). 

By our soundness theorems (see Sect. 5.3), such a typing guarantees that 
the expected amortised cost of descend is bounded by the expectation (wrt. 
the value distribution in the limit) of the difference between S(t: T|Q) and 
P(descend t: T|Q’). Because e is a match expression, the following rule is applied 
(we only state a restricted rule here, the general rule can be found in [19]): 


Eejø F leaf: T|Q’ L:T, r:T|Qi F e1: TIQ 
t: T|Q F match t with|leaf — leaf |nodel ar — e: TIQ 


(match) 


Here e; denotes the subexpression of e that corresponds to the node case of 
match. Apart from the annotations Q, Qı and Q’, the rule (match) constitutes 
a standard type rule for pattern matching. With regard to the annotations Q 
and Qı, (match) ensures the correct distribution of potential by inducing the 
constraints 


1 1 1 1 1 1 
qi 542 =4 4,1,0) = 4,0)  4(1,0,0) = 4(0,1,0) = 4  4(0,0,2) = 40,2) > 


where the constraints are immediately justified by recalling the definitions of the 
resource functions pya,,....a,,b) (t1; ---stn) = logo (ar: |ti] +: + an: |tn| +b) 
and rk(t) = rk(Z) + loga(|l|) + loga (|r|) + rk(r). 

The next rule is a structural rule, representing a weakening step that rewrites 
the annotations of the variable context. The rule (w) allows a suitable adapta- 
tion of the coefficients based on the following inequality, which holds for any 
substitution o of variables by values, 8(0o;l:T,r:T|Q1) > Z(0o;l:T,r:T|Q2). 


L:T, r: T|Q2 F e: T|Q’ 
L:T, r: T|Qi F e: TQ 


(w) 


In our prototype implementation this comparison is performed symboli- 
cally. We use a variant of Farkas’ Lemma [19,33] in conjunction with simple 
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meld hi h2 = match hi with 
| leaf —> h2 
| node hil hix hir — match h2 with 
| node h21 h2x h2r — if hix > h2x 
then if coin 
then (node (meld h21 (node hil hix hir))” h2x h2r) 
else (node h21 h2x (meld h2r (node hil hix hir))” ) 
else Omitted for brevity, symmetric to the the depicted case. 


ON ANA WNHR 


Fig. 3. Partial meld function of Randomised Meldable Heaps 


mathematical facts about the logarithm to linearise this symbolic comparison, 
namely the monotonicity of the logarithm and the fact that 2+log,(a)+log,(y) < 
2log,(a + y) for all x,y > 1. For example, Farkas’ Lemma in conjunction with 
the latter fact gives rise to 


Ho, 0,2) + 2f > Wo0,2) Qaa,o ~ 2f > 1,0) 
2: 1 2 
10.0) + f > W.0.0) G(0,1,0) + F > Q{0,1,0) > 


for some fresh rational coefficient f > 0 introduced by Farkas’ Lemma. After 
having generated the constraint system for descend, the solver is free to instanti- 
ate f as needed. In fact in order to discover the bound log,(|t|) for descend, 
the solver will need to instantiate f = 1/2, corresponding to the inequality 
logy (|| + |r|) > 1/210g2(ll) + 1/2logp( rl) + 1. 

So far, the rules did not refer to sampling and are unchanged from their 
(non-probabilistic) counterpart introduced in [14,18]. The next rule, however, 
formalises a coin toss, biased with probability p. Our general rule (ite : coin) is 
depicted in Fig. 12 and is inspired by a similar rule for coin tosses that has been 
recently been proposed in the literature, cf. [37]. This rule specialises as follows 
to our introductory example: 


L:T, r:T|Q4 F e3: T|Q 


l:T,r:T|Q3 F let zı = (descend l)“ in node qı a r: T|Q’ 
l:T,r:T|Q2 F if coin 1/2 then eg else e3: T|Q’ 


(ite : coin) 


Here ez and ez respectively, denote the subexpressions of the conditional and 
in addition the crucial condition Q2 = 1/2 - Q3 + 1/2- Q4 holds. This condition, 
expressing that the corresponding annotations are subject to the probability of 
the coin toss, gives rise to the following constraints (among others) 


4 
o,o, = = 1/2. do, 0,2) T 1/2- na 0,2) qo,1,0) = = 1/2- qo, 1,0) + 1/2-q q0,1,0) 
a.o, 0) = = 1/2. di, 0,0) T 1/2-q q6 ,0,0) © 


In the following, we will only consider one alternative of the coin toss and proceed 
as in the partial type derivation depicted in Fig. 1 (ie. we state the then-branch 
and omit the symmetric else-branch). Thus next, we apply the rule for the 
let expression. This rule is the most involved typing rule in the system proposed 
n [14,18]. However, for our leading example it suffices to consider the following 
simplified variant: 
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1 splay a t = match t with 

2 | node cl c cr — match cl with 

3 | node bl b br — match (splay a bl)“ ™? with Recursive call costs 1/2. 
4 | node al ai ar — if coin 

then (node al a1 (node ar b (node br c cr)))’‘/* Rotation costs 1/2. 

else node (node (node al ai ar) b br) c cr No rotation. 


Fig. 4. Partial splay function of Randomised Splay Trees (zigzig-case) 


1: T|Qa F (descend 1)” :T|Qg 1: T|Q7 F node zı a r: TQ’ 
1: T,r: T|Q3 F let r= (descend 1)’ in node Zj a r: TIQ 


(let) 


Focusing on the annotations, the rule (let : tree) suitably distributes potential 
assigned to the variable context, embodied in the annotation Q3, to the recursive 
call within the let expression (via annotation Q4) and the construction of the 
resulting tree (via annotation Q7). The distribution of potential is facilitated by 
generating constraints that can roughly be stated as two “equalities”, that is, 
(i) “Q3 = Q4 + D”, and (ii) “Q7 = D + Qe”. Equality (i) states that the input 
potential is split into some potential Q4 used for typing (descend D“ and some 
remainder potential D (which however is not constructed explicitly and only 
serves as a placeholder for potential that will be passed on). Equality (ii) states 
that the potential Q7 used for typing node x; a r equals the remainder potential 
D plus the leftover potential Qs from the typing of (descend 1)” . The (tick : now) 
rule then ensures that costs are properly accounted for by generating constraints 
for Q4 = Qs +1 (see Fig. 2). Finally, the type derivation ends by the application 
rule, denoted as (app), that verifies that the recursive call is well-typed wrt. the 
(annotated) signature of the function descend: T|Q — TQ’, ie. the rule enforces 
that Qs = Q and Qs = Q’. We illustrate (a subset of) the constraints induced 
by (let), (tick : now) and (app): 


3 4 3 7 6 4 5 
%{1,0,0) = 4,0) — %o0,1,0) = 4(0,1,0) g =q 0,2) = 0,2) + 1 
3 4 3 AT 6 4 5 
9(0,0,2) = 40,2) q2 = 49 1,0) = 1,0) 441,0) = 41,0) 
4 
=q 0,2) = 10,2) Ê =q qd% ,o) = 40,0) » 


where (i) the constraints in the first three columns—involving the annotations 
Q3, Qa, Qe and Q7—stem from the constraints of the rule (let : tree); (ii) the 
constraints in the last column—involving Q4, Qs, Q and Q’—stem from the 
constraints of the rule (tick : now) and (app). For example, Q1,0,0) = (1,0) and 
0.1.0) = Qo,1,0) distributes the part of the logarithmic potential represented 
by Q3 to Q4 and Q7; qf = q? expresses that the rank of the result of evaluat- 
ing the peCutsive call a be eroployed n the construction of the resulting tree 
node £; Q T; 4a, 0) = =q} 1,0) and qo, 2) = = q, 2) + 1 relate the logarithmic resp. con- 
stant potential acoarding to the tick mle where the addition of one accounts for 
the cost embodied by the tick rule; a% (1,0) = 44,0) stipulates that the potential at 
the recursive call site must match the function type. 

Our prototype implementation ATLAS collects all these constraints and solves 
them fully automatically. Following [14,18], our implementation in fact searches 
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1 insert d t = match t with 

2 | leaf — node leaf d leaf 

3 | node 1 a r — if coin 1/2 Assuming probability 1/2 fora < d. 
4 then node (insert d 1)“ ar 

5 else node 1 a (insert d r)“ 


Fig. 5. insert function of a Binary Search Tree with randomized comparison 


for a solution that minimises the resulting complexity bound. For the descend 
function, our implementation finds a solution that sets q(1,0) to 1, and all other 
coefficients to zero. Thus, the logarithmic bound log,(|t|) follows. 


2.2 Overview of Benchmarks and Results 


Randomised Meldable Heaps. Gambin et al. [13] proposed meldable heaps as a 
simple priority-queue data structure that is guaranteed to have expected loga- 
rithmic cost for all operations. All operations can be implemented in terms of 
the meld function, which takes two heaps and returns a single heap as a result. 
The partial source code of meld is given in Fig.3 (the full source code of all 
examples can be found in [19]). Our tool ATLAS fully-automatically infers the 
bound logs(|h1|) + logy(|h2|) on the expected cost of meld. 


Randomised Splay Trees. Albers et al. in [1] propose these splay trees as a vari- 
ation of deterministic splay trees [34], which have better expected runtime com- 
plexity (the same computational complexity in the O-notation but with smaller 
constants). Related results have been obtained by Fiirer [12]. The proposal is 
based on the observation that it is not necessary to rotate the tree in every (recur- 
sive) splaying operation but that it suffices to perform rotations with some fixed 
positive probability in order to reap the asymptotic benefits of self-adjusting 
search trees. The theoretical analysis of randomised splay trees [1] starts by 
refining the cost model of [34], which simply counts the number of rotations, 
into one that accounts for recursive calls with a cost of c and for rotations with 
a cost of d. 

We present a snippet of a functional implementation of randomised splay 
trees in Fig. 4. We note that in this code snippet we have set c = d = 1/2; this 
choice is arbitrary; we have chosen these costs in order to be able to compare the 
resulting amortised costs to the deterministic setting of [18], where the combined 
cost of the recursive call and rotation is set to 1; we note that our analysis requires 
fixed costs c and d but these constants can be chosen by the user; for example 
one can set c = 1 and d = 2.75 corresponding to the costs observed during the 
experiments in [1]. Likewise the probability of the coin toss has been arbitrarily 
set to p = 1/2 but could be set differently by the user. (We remark that to the 
best of our knowledge no theoretical analysis has been conducted on how to 
chose the best value of p for given costs c and d.) Our prototype implementation 
is able to fully automatically infer an amortised complexity bound of 9/s log. (|¢]) 
for splay (with c, d and p fixed as above), which improves on the complexity 
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1 pre—condition: t is not a leaf 

2 delete_max t = match t with 

3 | node 1 b r — match r with 

4 | leaf — (1b) 

5 | node rl c rr — match rr with 
6 | leaf — ((node 1 b rl1),c) 

7 
8 


| rr — let (t’,max) = (delete_max rr)” in match t?’ with 
| node rrli x xa — (node (node (node 1 b rl) c rrli) x xa,max) 


Fig.6. delete_max function of a Coin Search Tree with one rotation 


bound of 3/2log,(|t|) for the deterministic version of splay as reported in [18], 
confirming that randomisation indeed improves the expected runtime. 

We remark on how the amortised complexity bound of 9/slog,(|t|) for splay 
is computed by our analysis. Our tool ATLAS computes an annotated type for 
splay that corresponds to the inequality 


3/ark(t) + 9/slogs(|t) + 3/4 > Cspray(t) + 3/4rk(splay t) + 3/4. 


By setting @(t) := 3/ark(t) + 3/4 as potential function in the sense of Tarjan 
and Sleator [34,36], the above inequality allows us to directly read out an upper 
bound on the amortised complexity agpiay(t) of splay (we recall that the amor- 
tised complexity in the sense of Tarjan and Sleator is defined as the sum of the 
actual costs plus the output potential minus the input potential): 


splay (t) = Csplay (t) + (splay t) — (t) < 9/s- loga (|t|) - 


Probabilistic Analysis of Binary Search Trees. We present a probabilistic analysis 
of a deterministic binary search tree, which offers the usual contains, insert, and 
delete operations, where delete uses delete_max given in Fig.6, as a subroutine 
(the source code of the missing operations is given in [19]). We assume that the 
elements inserted, deleted and searched for are equally distributed; hence, we 
conduct a probabilistic analysis by replacing every comparison with a coin toss 
of probability one half. We will refer to the resulting data structure as Coin 
Search Tree in our benchmarks. The source code of insert is given in Fig. 5. 

Our tool ATLAS infers an logarithmic expected amortised cost for all oper- 
ations, ie., for insert and delete_max we obtain (i) 1/ark(t) + 3/2log,(|t|) + 
3/2 > Cinsert(t) + 1/2rk(insert t) + 1; and (ii) 1/2rk(t) + 3/2log,(|t]) +1 > 
Cdelete_max(t) + !/2rk(delete_max t) + 1, from which we obtain an expected 
amortised cost of 3/2log,(|¢|) + 1/2 and 3/2 log,(|t|) respectively. 


3 Probabilistic Functional Language 


Preliminaries. Let Rt denote the non-negative reals and RES their extension 
by oo. We are only concerned with discrete distributions and drop “discrete” 
in the following. Let A be a countable set and let D(A) denote the set of 
(sub)distributions d over A, whose support supp(u) := {a € A | ula) 4 0} 
is countable. Distributions are denoted by Greek letters. For  € D(A), we may 
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on=<|> |= 
e= f @1... En ever 
| false | true | e1 o e2 if x then e1 else e2 
if nondet then e; else e2 
if coin a/b then e; else e2 
| leaf | node 21 T2 T3 match x with | leaf > eı | node x1 £2 T3 > e€2 
| (a1 , 22) match x with | (a7 , x2) >e 
| let x =e, in e2 £ 


Fig. 7. A Core Probabilistic (First-Order) Programming Language 


write u = {af" hicr, assigning probabilities p; to a; € A for every i € I, where I 
is a suitable chosen index set. We set |u| := ) jez pi- If the support is finite, we 
simply write u = {at!,...,a?"} The ezpected value of a function f: A Rọ on 
u € D(A) is defined as E,,(f) := J acsupptu) H(@) : f(a). Further, we denote by 
S erpi - ui the conver combination of distributions ui, where ier Pi < 1. As 
by assumption J ;ez Pi S 1, je, pi: Hi is always a (sub-)distribution. 

In the following, we also employ a slight extension of (discrete) distribu- 
tions, dubbed multidistributions [4]. Multidistributions are countable multisets 
{a} icz over pairs pj: a; of probabilities 0 < p; < 1 and objects a; € A 
with J erpi < 1. (For ease of presentation, we do not distinguish notation- 
ally between sets and multisets.) Multidistributions over objects A are denoted 
by M(A). For a multidistribution u € M(A) the induced distribution u € D(A) 
is defined in the obvious way by summing up the probabilities of equal objects. 


Syntax. In Fig.7, we detail the syntax of our core probabilistic (first-order) 
programming language. With the exception of ticks, expressions are given in 
let-normal form to simplify the presentation of the operational semantics and 
the typing rules. In order to ease the readability, we make use of mild syntactic 
sugaring in the presentation of actual code (as we already did above). 

To make the presentation more succinct, we assume only the following types: 
a set of base types B such as Booleans Bool = {true, false}, integers Int, or ratio- 
nals Rat, product types, and binary trees T, whose internal nodes are labelled 
with elements 6:B, where B denotes an arbitrary base type. Values are either 
of base types, trees or pairs of values. We use lower-case Greek letters (from the 
beginning of the alphabet) for the denotation of types. Elements t: T are defined 
by the following grammar which fixes notation. t = leaf | node tı b tg. The size 
of a tree is the number of leaves: |leaf| := 1, |node t a u| := |t| + Jul. 

We skip the standard definition of integer constants n € Z as well as variable 
declarations, cf. [29]. Furthermore, we omit binary operators with the excep- 
tion of essential comparisons. As mentioned, to represent sampling we make use 
of a dedicated if-then-else expression, whose guard evaluates to true depend- 
ing on a coin toss with fixed probability. Further, non-deterministic choice is 
similarly rendered via an if-then-else expression. Moreover, we make use of 
ticking, denoted by an operator :-“* to annotate costs, where a, b are optional 
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f £10 ... LRT e0 if true then e; else e2 > €1 
let © = w in e2 > ez|z > w] if false then eı else ez e2 
match leaf with|leaf->e,|node zo zı Z2->e€2 > €61 

match node t a u with|leaf->eı|node xo x1 £T2->e2 +> €z 

match (t, u) with |(t,u)->e m e 

if coin a/b then e; else e2 = Je e if nondet then e; else ez €1 


a/o i 
e Se if nondet then e1 else e2 > €2 


Assuming f xı ... £k = e € P, o respects the signature of f, and w is a value. 


Fig. 8. One-Step Reduction Rules 


and default to one. Following Avanzini et al. [2], we represent ticking :“ as an 
operation, rather than in let-normal form, as in Wang et al. [37]. (This allows 
us to suit a big-step semantics that only accumulates the cost of terminating 
expressions.) The set of all expressions is denoted €. 

A typing context is a mapping from variables V to types. Type contexts are 
denoted by upper-case Greek letters, and the empty context is denoted £. A 
program P consists of a signature F together with a set of function definitions 
of the form f zı ... En = ef, where the x; are variables and ef an expression. 
When considering some expression e that includes function calls we will always 
assume that these function calls are defined by some program P. A substitution 
or (environment) o is a mapping from variables to values that respects types. 
Substitutions are denoted as sets of assignments: o = {x1 > t1,...,%n > tn}. 
We write dom(c) to denote the domain of ø. 


4 Operational Semantics 


Small-Step Semantics. The small-step semantics is formalised as a (weighted) 
non-deterministic, probabilistic abstract reduction system [4,9] over M(E). In 
this way (expected) cost, non-determinism and probabilistic sampling are taken 
care of. Informally, a probabilistic abstract reduction system is a transition sys- 
tems where reducts are chosen from a probability distribution. A reduction wrt. 
such a system is then given by a stochastic process [9], or equivalently, as a reduc- 
tion relation over multidistributions [4], which arise naturally in the context of 
non-determinism (we refer the reader to [4] for an example that illustrates the 
advantage of multidistributions in the presence of non-determinism). 

Following [5], we equip transitions with (positive) weights, amounting to the 
cost of the transition. Formally, a (weighted) Probabilistic Abstract Reduction 
System (PARS) on a countable set A is a ternary relation - +> -C Ax Rọ x D(A). 
For a € A, a rule a & {041,24 indicates that a reduces to b with probability 
u(b) and cost c € Rf. Note that any right-hand-side of a PARS is supposed to 
be a full distribution, ie. the probabilities in u sum up to 1. Given two objects 
a and b, a+ {b'} will be written a+ b for brevity. An object a € A is called 
terminal if there is no rule a Ê u, denoted a 2. We suit the one-step reduction 
relation + given in Fig. 8 as a (non-deterministic) PARS over multidistributions. 
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er {ef }ier (Step) 2 . Žanis (Conv) 
c : ep ¡Pici 
{Cle"]} -> {C[e:]” Jier Wip mi > W, pi vi 

ve 


{ut} > {v1} 


(NF) 
Fig. 9. Probabilistic Reduction Rules of Distributions of Expressions 


As above, we sometimes identify Dirac distributions {e!} with e. Evaluation 
contexts are formed by let expressions, as in the following grammar: C ::= 
| let x = C in e. We denote with C[e] the result of substitution the empty 
context O with expression e. Contexts are exploited to lift the one-step reduction 
to a ternary weighted reduction relation —+ C M(E) x R{® x M(E), cf. Fig. 9. 
(In (Conv), kj refers to the usual notion of multiset union.) 


The relation — constitutes the operational (small-step) semantics of our 
simple probabilistic function language. Thus u —> v states that the submulti- 
distribution of objects u evolves to a submultidistribution of reducts v in one 
step, with an expected cost of c. Note that since — is non-deterministic, so 
is the reduction relation —>. We now define the evaluation of an expression 
e € E wrt. to the small-step relation —+: We set e “>. p, if there is a (pos- 
sibly infinite) sequence {e1} “+> pm “> po = ... with c = n> Cn and 
HL = liMn>æ HEnlv, where mny denotes the restriction of the distribution En 
(induced by the multidistribution un) to a (sub-)distribution over values. Note 
that the Env form a CPO wrt. the pointwise ordering, cf. [39]. Hence, the fixed 
point u = limn—soo Anly exists. We also write e —>.. H in case the cost of the 
evaluation is not important. 


(Positive) Almost Sure Termination. A program P is almost surely terminating 
(AST) if for any substitution ø, and any evaluation es —>. pH, we have that 
H forms a full distribution. For the definition of positive almost sure termination 
we assume that every statement of P is enclosed in an ticking operation with cost 
one; we note that such a cost models the length of the computation. We say P is 
positively almost surely terminating (PAST), if for any substitution ø, and any 
evaluation eg —>., u, we have c < oo. It is well known that PAST implies AST, 
cf. [9]. 


Big-Step Semantics. We now define the aforementioned big-step semantics. We 
first define approximate judgments o Le e => u, see Fig. 10, which say that in 
derivation trees with depth up to n the expression e evaluates to a subdistribu- 
tion u over values with cost c. We now consider the cost c» and subdistribution 
Mn ing Ke e > Hn for n — oo. Note that the subdistributions Hn ino Le e => Un 
form a CPO wrt. the pointwise ordering, cf. [39]. Hence, there exists a fixed point 
L = limyn-—oo Hn. Moreover, we set c = liMn—oo Cn (note that either cn converges 
to some real c € Rf ® or we have c = 00). We now define the big-step judgments 
o E e => u by setting u = liMmp—oo Hn and c = liMp—o Cn for o — e => Ln. 
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e is not a value zı =t wo=b r30=Uu 
ohe=> {} o |È leaf > {leaf*} a |È node x1 £2 £3 => {(node t b u)'} 

ro =v mo=t m0=Uu fyi... Ye = eeP Hesu 
oÉ zs {v} off (21,22) > {(t,u)'} oki fa no Lk => pb 


o+ er >v for all w € supp(v): ol 4 w| E> e2 > uw 


eit v(w) cw 
o| Derwent) let z =e, ine >), v(w) - 
| nt+1 1 2 w€supp(v) Hw 


zo = leaf okeasuyu 


c . 
o jni Match x with | leaf -> eı >u 
| node zo 21 £2 -> €z 


xo =node t a u oe su 


ce 


ony Match x with| leaf -> e1 >p 
| node £o 21 T2 -> ez 
È E 
xo = true okesyu ojm e > pu 
o fnyi if x then e, else eg >p o [inyi if nondet then e; else e2 >p 
xo = false o$ e>p okes ph 
o a7 if x then e, else e2 > yu o inyi if nondet then e; else e2 >p 
c 
zo= (tu) o” Kesu ockesp 
z c+ļul:2/ b M 
o |- match x with! (z1,£2) -> e >u o| EEI esau 
[e1 [cz 
O [mn €1 Hı Ofm €2 H2 p=/ b 


cy t(1—p)ec 
o pette if coin a/b then e, else ez > ppı + (1 — p)u2 


Here o[x ++ w] denotes the update of the environment o such that o|x => w|(x) = w 
and the value of all other variables remains unchanged. For function application we set 
a := {yı > £10, ..., Yk +> xno}. In the rules covering match we set o” := a W {£o > 
tri a, £2 > u} and o” := o W {£o > t, x2 + u} for trees and tuples respectively. 


Fig. 10. Big-Step Semantics. 


We want to emphasise that the cost c in o E e => p only counts the ticks on 
terminating computations. 


Theorem 1 (Equivalence). Let P be a program and o a substitution. Then, 
(i) o E e = u implies that ec “+. u for some d > c, and (ii) eo +05 H 


$ 
. . C . . 
implies that o |e e => pu for some c < c. Moreover, if eo almost-surely termi- 
nates, we can choose c= cœ in both cases. 


The provided operational big-step semantics generalises the (big-step) seman- 
tics given in [18]. Further, while partly motivated by big-step semantics intro- 
duced in [37], our big-step semantics is technically incomparable—due to a dif- 
ferent representation of ticking—while providing additional expressivity. 
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TQ F e:alQ’ 
TIQ +h F es alQ’ 


TIQ E e:alQ’ 
TIQ F e°”: alQ’ — ap 


(tick : now) 


(tick : defer) 


Fig. 11. Ticking Operator. Note that a, b are not variables but literal numbers. 


5 Type-and-Effect System for Expected Cost Analysis 


5.1 Resource Functions 


In Sect.2, we introduced a variant of Schoenmakers’ potential function, 
denoted as rk(t), and the additional potential functions P(a;,...an,b) (t1,---,tn) = 
logy (a1 - |ti] +--+ + an: |tn| +b), denoting the log, of a linear combination of 
tree sizes. We demand X`; a; +b > 0 (a; € N,b € Z) for well-definedness of 
the latter; log, denotes the logarithm to the base 2. Throughout the paper we 
stipulate log,(0) := 0 in order to avoid case distinctions. Note that the constant 
function 1 is representable: 1 = At. logs (0 - |t| + 2) = pyo,2). We are now ready to 
state the resource annotation of a sequence of trees. 


Definition 1. A resource annotation or simply annotation of length m is a 
sequence Q = [M,---,Qm] U [ (dlar, am,b)) ai,b € N], vanishing almost every- 
where. The length of Q is denoted |Q|. The empty annotation, that is, the anno- 
tation where all coefficients are set to zero, is denoted as Ø. Let tı,...,tm be a 
sequence of trees. Then, the potential of tm,...,tn wrt. Q is given by 


P(t1,...,tm | Q) = Soa rk (ti) + 5 Tai geusi am,b) ` P(a1,...,am,b) (tiger 4 trn)s 
=l 


In case of an annotation of length 1, we sometimes write q, instead of qı. 
We may also write ®(v:a|Q) for the potential of a value of type a annotated 
with Q. Both notations were already used above. Note that only values of tree 
type are assigned a potential. We use the convention that the sequence elements 
of resource annotations are denoted by the lower-case letter of the annotation, 
potentially with corresponding sub- or superscripts. 


Example 1. Let t be a tree. To model its potential as log,(|t|) in according to 
Definition 1, we simply set (1,9) := 1 and thus obtain S(t|Q) = logs (|t|), which 
describes the potential associated to the input tree t of our leading example 
descend above. 


Let o be a substitution, let T’ denote a typing context and let 71: T,..., En : 
T denote all tree types in I’. A resource annotation for I or simply anno- 
tation is an annotation for the sequence of trees x10,...,2,0. We define the 
potential of the annotated context I'|Q wrt. a substitution o as ®(o;T | Q) := 
D (x10,...,Lno | Q). 
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TiQ F eal TIQ F e2:alQ’ p=2/e Q=p-Qit(1—p)-Qe 
TIQ + if coin a/b then e; else e2:a|Q’ 


(ite : coin) 
Fig. 12. Conditional expression that models tossing a coin. 


Definition 2. An annotated signature F maps functions f to sets of pairs of 
annotated types for the arguments and the annotated type of the result: 


F(f) = {01 X +++ X an |Q > Br x +++ x Bal R'm = |Q|,1 = |Q" |}. 


We suppose f takes n arguments of which m are trees; m < n by definition. 
Similarly, the return type may be the product 3, x --- x Bi. In this case, we 
demand that at most one (3; is a tree type.” 


Instead of ay X +- X an |Q > b1 X --- xX Bhl Q’ E€ F(f), we sometimes suc- 
cinctly write f:a|Q —> 6|Q’ where a, B denote the product types aj X +- X Qn, 
61X- -X Bk, respectively. It is tacitly understood that the above syntactic restric- 
tions on the length of the annotations Q, Q’ are fulfilled. For every function f, 
we also consider its cost-free variant from which all ticks have been removed. We 
collect the cost-free signatures of all functions in the set F. 


Example 2. Consider the function descend depicted in Fig. 2. Its signature is 
formally represented as T|Q > T|Q’, where Q := [q4] U [(q(a,) )a bez] and Q’ := 
CALS [(4(a,5) avez] We leave it to the reader to specify the coefficients in Q, Q’ 
so that the rule (app) as depicted in Sect. 2 can indeed be employed to type the 
recursive call of descend. 


Let Q = [a] U [(d{a,b))a ben] be an annotation and let K be a rational such 
that q¢o,2) + K > 0. Then, Q’ := Q + K is defined as follows: Q’ = [q.] U 
alab) apen], where do,2) := q(0,2) + K and for all (a,b) # (0,2) a,b) = Qla bj- 
Recall that q(0,2) is the coefficient of function p(o,2) (t) = log, (0|t| +2) = 1, so the 
annotation Q+K increments or decrements cost from the potential induced by Q 
by |K], respectively. Further, we define the multiplication of an annotation Q by 
a constant K, denoted as K -Q pointwise. Moreover, let P = [p4] U [(P(a,b))a,ben] 
be another annotation. Then the addition P +Q of annotations P, Q is similarly 
defined pointwise. 


5.2 Typing Rules 


The non-probabilistic part of the type system is given in [19]. In contrast to the 
type system employed in [14,18], the cost model is not fixed but controlled by 
the ticking operator. Hence, the corresponding application rule (app) has been 
adapted. Costing of evaluation is now handled by a dedicated ticking operator, 
cf. Fig. 11. In Fig. 12, we give the rule (ite : coin) responsible for typing proba- 
bilistic conditionals. 

3 The restriction to at most one tree type in the resulting type is non-essential and 


could be lifted. However, as our benchmark functions do not require this extension, 
we have elided it for ease of presentation. 
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foo t = match t with 


1 

2 | leaf — leaf 

3 | node 1 a r — let 1’ = (foo 1)” in let r? = (foo r)“ in 
4 if nondet then 1’ else r’ 


Fig. 13. Function foo illustrates the difference between (tick : now) and (tick : defer). 


We remark that the core type system, that is, the type system given by Fig. 12 
together with the remaining rules [19], ignoring annotations, enjoys subject 
reduction and progress in the following sense, which is straightforward to verify. 


Lemma 1. Lete be such that e:a holds. Then: (i) If e Ò {e tier, then ei: a 
holds for all i € I. (ii) The expression e is in normal form wrt. È iffe is a 
value. 


5.3 Soundness Theorems 


A program P is called well-typed if for any definition f (£1,..., £n) =e € P and 
any annotated signature f : a1 X --: X an|Q — |Q’, we have a corresponding 
typing 21: Q1,...,,:az%|Q F e:6|Q’. A program P is called cost-free well-typed, 
if the cost-free typing relation is used (which employs the cost-free signatures of 
all functions). 


Theorem 2 (Soundness Theorem for (tick : now)). Let P be well-typed. Sup- 
pose T|Q + e:a|Q’ and eg +. u. Then ®(0;T|Q) > c+ E (Av.B(v|Q’)). 
Further, if TQ Hf e:alQ’, then P(o; TIQ) > E,,(Av.B(v|Q’)). 


Corollary 1. Let P be a well-typed program such that ticking accounts for all 
evaluation steps. Suppose T|Q F e:alQ’. Then e is positive almost surely ter- 
minating (and thus in particular almost surely terminating). 


Theorem 3 (Soundness Theorem for (tick: defer)). Let P be well-typed. 
Suppose T|Q + e:alQ’ and o E e= pu. Then, we have P(o; rQ) > c+ 
i (Av.B(v|Q')). Further, if T|Q ES e:a|Q', then 8(0; TQ) > E,(Av.B(v|Q’)). 


We comment on the trade-offs between Theorems 2 and 3. As stated in Corol- 
lary 1 the benefit of Theorem 2 is that when every recursive call is accounted 
for by a tick, then a type derivation implies the termination of the program 
under analysis. The same does not hold for Theorem 3. However, Theorem 3 
allows to type more programs than Theorem 2, which is due to the fact that 
(tick : defer) rule is more permissive than (tick : now). This proves very useful, 
in case termination is not required (or can be established by other means). 

We exemplify this difference on the foo function, see Fig.13. Theorem 3 
supports the derivation of the type rk(t) + log.(|t|) + 1 > rk(foo t) + 1, while 
Theorem 2 does not. This is due to the fact that potential can be “borrowed” 
with Theorem 3. To wit, from the potential rk(t) + logs(|t|) + 1 for foo one can 
derive the potential rk(i’) + rk(r’) for the intermediate context after both let- 
expression (note there is no +1 in this context, because the +1 has been used to 
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Table 2. Coefficients q such q-log,(|t|) is a bound on the expected amortized complexity 
of splay depending on the probability p of a rotation and the cost c of a recursive call, 
where the cost of a rotation is 1 — c. Coefficients are additionally presented in decimal 
representation to ease comparison. 


: 1/2 fs 2/3 
p 
1/2 || 9% 1125| 1 1 5/4 | 1.25 
1/3 1 1 5/6 0.83 Tje 16 
2/3 || 55/36 1.527 | 77/54 1.4259 | 44/27 1.629 


pay for the ticks around the recursive calls). Afterwards one can restore the +1 
by weakening rk(l’) + rk(r’) to rk(foo t) + 1 (using in addition that rk(t) > 1 for 
all trees t). On the other hand, we cannot “borrow” with Theorem 2 because the 
rule (tick : now) forces to pay the +1 for the recursive call immediately (but there 
is not enough potential to pay for this). In the same way, the application of rule 
(tick : defer) and Theorem 3 is essential to establish the logarithmic amortised 
costs of randomised splay trees. (We note that the termination of foo as well as 
of splay is easy to establish by other means: it suffices to observe that recursive 
calls are on sub-trees of the input tree). 


6 Implementation and Evaluation 


Implementation. Our prototype ATLAS is an extension of the tool described 
in [18]. In particular, we rely on the preprocessing steps and the implementation 
of the weakening rule as reported in [18] (which makes use of Farkas’ Lemma in 
conjunction with selected mathematical facts about the logarithm as mentioned 
above). We only use the fully-automated mode reported in [18]. We have adapted 
the generation of the constraint system to the rules presented in this paper. We 
rely on Z3 [26] for solving the generated constraints. We use the optimisation 
heuristics of [18] for steering the solver towards solutions that minimize the 
resulting expected amortised complexity of the function under analysis. 


Evaluation. We present results for the benchmarks described in Sect.2 (plus 
a randomised version of splay heaps, the source code can be found in [19]) in 
Table 1. Table 3 details the computation time for type checking our results. Note 
that type inference takes considerably longer (tens of hours). To the best of our 
knowledge this is the first time that an expected amortised cost could be inferred 
for these data structures. 

By comparing the costs of the operations of randomised splay trees and 
heaps to the costs of their deterministic versions (see Table 1), one can see the 
randomised variants have equal or lower complexity in all cases (as noted in 
Table 2 we have set the costs of the recursive call and the rotation to 1/2, such 
that in the deterministic case, which corresponds to a coin toss with p = 1, these 
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Table 3. Number of assertions, solving time for type checking, and maximum memory 
usage (in mebibytes) for the combined analysis of functions per-module. The number 
of functions and lines of code is given for comparison. 


Module Functions Lines Assertions Time Memory 
RandSplayTree 4 129 195 339 33M27S 19424.44 
RandSplayHeap 2 34 77680 6M15S 14914.51 
RandMeldableHeap 3 15 25 526 20S 4290.67 
CoinSearchTree 3 24 14 045 4S 1798.59 
Tree 1 5 151 <1S 45.23 


costs will always add up to one). Clearly, setting the costs of the recursion to 
the same value as the cost of the rotation does not need to reflect the relation of 
the actual costs. A more accurate estimation of the relation of these two costs 
will likely require careful experimentation with data structure implementations, 
which we consider orthogonal to our work. Instead, we report that our analysis is 
readily adapted to different costs and different coin toss probabilities. We present 
an evaluation for different values of p, recursion cost c and rotation cost 1 — c 
in Table 2. In preparing Table 2 the template q* - rk(t) + qao) - loga(|#|) + 40,2) 
was used for performance reasons. The memory usage according to Z3’s “max 
memory” statistic was 7129MiB per instance. The total runtime was 1H45M, 
with an average of 11M39S and a median of 2M33S. Two instances took longer 
time (36M and 49M). 


Deterministic Benchmarks. For comparison we have also evaluated our tool 
ATLAS on the benchmarks of [18]. All results could be reproduced by 
our implementation. In fact, for the function SplayHeap.insert it yields an 
improvement of 1/4logs(|h|), ie. 1/2logy(|h|) + loga(|h| + 1) + 3/2 compared to 
3/4 logy (|A|) +logs(|h| +1) +3/2. We note that we are able to report better results 
because we have generalised the resource functions p(a,......am,b) (t1,+++3tm) = 
logs (a1 - |ti] + +++ + am |tm| +b) to also allow negative values for b (under the 
condition that `; a; +b > 1) and our generalised (let : tree) rule can take advan- 
tage of these generalized resource functions (see [19] for a statement of the rule 
and the proof of its soundness as part of the proof of Theorem 3). 


7 Conclusion 


In this paper, we present the first fully-automated expected amortised cost anal- 
ysis of self-adjusting data structures, that is, of randomised splay trees, ran- 
domised splay heaps and randomised meldable heaps, which so far have only 
(semi-)manually been analysed in the literature. 
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In future work, we envision to extend our analysis to related probabilistic set- 


tings such as skip lists [30], randomised binary search trees [20] and randomised 
treaps [8]. We note that adaptation of the framework developed in this paper to 
new benchmarks will likely require to identify new potential functions and the 
extension of the type-effect-system with typing rules for these potential func- 
tions. Further, on more theoretical grounds we want to clarify the connection of 
the here proposed expected amortised cost analysis with Kaminski’s ert-calculus, 
cf. [15], and study whether the expected cost transformer is conceivable as a 
potential function. 
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Abstract. SMT solvers are highly complex pieces of software with per- 
formance, robustness, and correctness as key requirements. Complement- 
ing traditional testing techniques for these solvers with randomized stress 
testing has been shown to be quite effective. Recent work has showcased 
the value of input fuzzing for finding issues, but this approach typically 
does not comprehensively test a solver’s API. Previous work on model- 
based API fuzzing was tailored to a single solver and a small subset of 
SMT-LIB. We present Murxla, a comprehensive, modular, and highly 
extensible model-based API fuzzer for SMT solvers. Murxla randomly 
generates valid sequences of solver API calls based on a customizable 
API model, with full support for the semantics and features of SMT-LIB. 
It is solver-agnostic but extensible to allow for solver-specific testing and 
supports option fuzzing, cross-checking with other solvers, translation to 
SMT-LIBv2, and SMT-LIBv2 input fuzzing. Our evaluation confirms its 
efficacy in finding issues in multiple state-of-the-art SMT solvers. 


1 Introduction 


Satisfiability Modulo Theories (SMT) solvers determine the satisfiability of for- 
mulas over first-order theories and their combinations. They serve as back-end 
reasoning engines for a wide range of applications in academia and industry [18, 
27], including hardware and software verification [14,29,31,35,38,40], model 
checking [23,24,46], security [12,33], automated test-case generation [22,50], and 
synthesis [10,34]. Notable SMT solvers include Bitwuzla [42], Boolector [46], cvc5 
[13], MathSAT [26], OpenSMT2 [36], SMTInterpol [25], SMT-RAT [28], STP 
[32], veriT [20], Yices2 [30], and Z3 [41]. State-of-the-art SMT solvers are com- 
plex pieces of software with up to hundreds of thousands lines of code. Because 
of their frequent use as back-ends in higher-level tool chains, strong requirements 
include performance, robustness, and a high level of trust. Due to their complex 
nature, full verification of SMT solvers has so far remained out of reach. Fur- 
thermore, most SMT solvers are under active development, meaning that there 
is a constant risk of introducing new issues. While traditional testing techniques 
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such as unit testing and a regression test suite are important, these techniques 
alone are insufficient for achieving high levels of robustness. 

SMT solvers usually provide two user-facing interfaces: (i) a textual interface 
(expecting input in either SMT-LIBv2 [15] or some solver-specific format); and 
(ii) the application programming interface (API), which allows users to directly 
integrate the solver into a tool chain. Randomized stress testing (fuzz testing) 
can be used as a complement to traditional testing to attack these interfaces 
and has been shown to be very effective at finding issues and thereby helping 
to improve the correctness and robustness of SMT solvers. In 2009, Brummayer 
et al. [21] presented a grammar-based generative black-box input fuzzer for the 
SMT-LIBv1 language [48] called FuzzSMT, and in 2017, Niemetz et al. [45] pre- 
sented a model-based API fuzz testing framework called BtorMBT for the SMT 
solver Boolector. More recently, fuzz testing of SMT solvers via their textual inter- 
face has gained even more traction with a series of papers on the subject in top 
venues [19,39,47,49, 51,52]. Note that these approaches (and this paper) assume 
full knowledge of the input structure, i.e., they only generate valid textual input 
or sequences of API calls. Fuzz testing approaches that are unaware of the input 
structure can also be useful for testing whether invalid inputs or API calls are han- 
dled correctly. This is, however, not a direction we address in this paper. 

As mentioned, recent work has focused on fuzzing the textual interface. 
This is not surprising, as it typically requires significantly less effort than API 
fuzzing. Input fuzzers generate a new input file or mutate an existing (so-called) 
seed input file and pass it to a solver binary. Fuzz testing of the solver API is 
more involved since it requires interaction with the solver—API fuzzers generate 
sequences of calls to the solver API and typically link against the solver library. 

There are, however unique advantages that API fuzzers have. For example, 
API call sequences generated by API fuzzers may include features and extensions 
that are not supported by or cannot be expressed via the textual interface. 
Moreover, even if restricted to standard features, API fuzzers may be able to 
generate sequences of calls that are not possible using the textual interface, even 
if the textual interface is built on top of the user-facing API, and especially if it 
is not. On the other hand, API fuzzing cannot find bugs in parser code. Thus, 
both fuzzing strategies have unique benefits. 

API fuzzing has been an integral part of the development workflow of the 
SMT solver Boolector [46] since 2013. Boolector supports quantified bit-vector 
formulas and quantifier-free formulas in the theories of fixed-size bit-vectors, 
arrays and uninterpreted functions. It ships with BtorMBT [45], an API fuzzer 
tailored to Boolector, which covers all features of Boolector except quantifiers. 
BtorMBT has been regularly and rigorously applied during active development 
of Boolector (locally, prior to major commits to master, and in a cluster setting 
on 30 nodes prior to every release), with great success. Notably, recent SMT 
fuzzing campaigns did not report any issues in code covered by BtorMBT [39]; 
in particular, the few that have been reported [2] all made use of quantified 
formulas, which are unsupported by BtorMBT. To the best of our knowledge,! 


1 The first two authors of this paper are the main developers of the SMT solvers 
Bitwuzla [42] and Boolector [46], and all three authors are part of the development 
team of the SMT solver CVC4 [16] and its successor cvc5 [13]. 
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Boolector is the only SMT solver for which API fuzzing has been integrated as 
a core component of the development workflow. 

One of BtorMBT’s major weaknesses, however, is that it cannot (easily be 
extended to) be used with other SMT solvers—it is monolithic, tailored towards 
the supported theories, and directly calls Boolector’s API. Further, it lacks sup- 
port for quantified formulas, only supports a subset of the theories standardized 
in SMT-LIB, and even for those, not the full feature set since Boolector only 
supports a subset. For recording API call sequences, it relies on the API tracing 
feature of Boolector, the system under test. And for replaying and minimizing 
such recorded sequences, it requires additional tools. 


Contributions. In this paper, we present Murxla, a modular and highly extensible 
model-based API fuzzer for SMT solvers. Murxla is a comprehensive fuzzing 
tool that generates valid sequences of solver API calls, records these sequences 
in a simple text-based trace format, and provides support for minimizing and 
replaying these traces while preserving the original behavior of the solver. Murxla 
builds on top of a generic solver interface that can be used with any SMT solver 
and provides full SMT-LIB support in terms of semantics, features, and standard 
theories. It further has experimental support for some non-standard theories 
(sequences, sets, bags) and is fully compatible with and configurable for solver- 
specific features, extensions, and restrictions. Murxla provides support for option 
fuzzing (randomly configuring solver options based on the options model of the 
solver) and can be run in cross-checking mode, where the answers of two different 
solvers are compared with each other. It additionally implements correctness 
checks for retrieved model values, unsat assumptions, and unsat cores. Finally, 
it can optionally translate generated API traces to SMT-LIBv2 (provided that 
the traces do not contain solver-specific extensions), and can thus be used as a 
textual interface fuzzer for any solver that supports SMT-LIBv2. 

Murxla currently supports the SMT solvers Bitwuzla [42], Boolector [46], 
eved [13], and Yices2 [30]. Our goal so far has been to fully cover solvers we are 
actively developing (the first three). We additionally added support for Yices2 as 
a proof of concept for showing that the tool is sufficiently general and modular 
to be used with solvers other than our own. 


Related Work. The first application of model-based API fuzzing in the context 
of verification back-ends was proposed by Artho et al. [11] for the SAT solver 
Lingeling [17]. In the context of SMT solvers, the first and only integration of 
model-based API fuzzing as a core component of the development workflow was 
for the solver Boolector [45], as described above. In both instances, the authors 
showed the effectiveness of the approach for testing solvers, in particular in 
combination with option fuzzing and delta debugging. 

The first input fuzzer for the SMT-LIB language was FuzzSMT [21], a genera- 
tive grammar-based fuzzer supporting most of SMT-LIBv1 [48]. In 2018, Blotsky 
et al. [19] presented an SMT-LIBv2 input fuzzer specifically for strings, which 
generates and mutates SMT-LIBv2 input and mainly targets performance issues. 
In 2020, Winterer et al. [51,52] proposed two mutational approaches, one based 
on merging two inputs and the other based on mutating operators. The for- 
mer supports only integers, reals, and strings, whereas the latter supports all 
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benchmarks in SMT-LIB but only mutations for the most basic operators. In 
the same year, Mansur et al. [39] presented Storm, an SMT-LIBv2 fuzzer based 
on mutating the Boolean structure of an input. Most recently, Park et al. [47] 
presented TypeFuzz, a hybrid approach for integers, reals, and strings which 
mutates SMT-LIBv2 by replacing expressions with newly generated expressions. 
Finally, Scott et al. [49] recently proposed a mutational fuzzer for all of SMT-LIB 
which leverages reinforcement learning and targets performance issues. 


2 Model-Based API Fuzzing for SMT Solvers 


Generally speaking, model-based API fuzzing can be seen as lifting grammar- 
based input fuzzing to the API level: it requires a “model” of the solver that 
defines what sequences of API calls are valid. For convenience, we consider this 
model to be made up of three distinct parts: (i) the semantic (or data) model, 
which defines constructs (such as theories, sorts, operators, and commands) and 
their semantics (usually based on the SMT-LIBv2 [15] standard); (ii) the API 
model, which defines the usage of the API itself; and (iii) the options model, 
which defines configuration options and how they may or may not be combined. 

The main requirements for SMT solvers, especially when used as back-ends 
of higher-level tool chains, are correctness, performance, and robustness. Within 
the SMT community, the notion of “issue” is thus commonly defined as one of 
the following: (i) soundness issues—either refutation unsoundness (the solver 
answers unsat when the input is sat) or model unsoundness (the solver answers 
sat when the input is unsat); (ii) incorrect witnesses—models (values), proofs, 
unsat cores, or unsat assumptions; (iii) crashes—assertion failures, segmentation 
faults; and (iv) performance regressions. The most critical issues are soundness 
issues. Refutation unsoundness is especially problematic, as most solvers pro- 
vide limited or no means for checking the correctness of an unsat result. Model 
unsoundness is less problematic, since state-of-the-art SMT solvers usually pro- 
vide models for satisfiable formulas, which are easier to check for correctness. The 
easiest way to identify soundness issues is to check one solver against a second 
solver, unless the satisfiability of the input formula is known or can be deter- 
mined by construction. Witnesses are very often checked inside the solver when 
in debug mode, and their correctness can be determined outside the solver with 
relatively little effort for all but proofs, which require more involved checking. 

As SMT solver developers, we are interested in catching issues as close to the 
source as possible. For that purpose, in the context of model-based API fuzzing, 
we configure solvers under test in debug mode with assertions enabled. 


3 Murxla 


Murxla is a modular model-based API fuzzing tool for SMT solvers which gen- 
erates valid solver API call sequences and supports the recording, replaying, 
and minimizing of these sequences for debugging purposes. Murxla is written 
in C++ and available under the GPLv3 at [43]. Extensive documentation is 
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Fig. 1. Murxla architecture. (Color figure online) 


available at [44]. A high-level view of its architecture is given as a call graph in 
Fig. 1. Murxla can integrate any SMT solver (provided that it exposes an API 
in a programming language that can be integrated). Murxla provides a solver 
API abstraction, the Generic Solver API, which is then specialized via a solver 
wrapper for a specific solver. Solver-specific components are indicated in blue 
in Fig. 1 and consist of the solver wrappers and solver-specific extensions of the 
general API model and options model implemented by Murxla. The four main 
components of Murxla (green) are the API Fuzzer, the Tracer, the Untracer, and 
the Trace Minimizer. 

The API Fuzzer is responsible for generating random but valid API call 
sequences to the solver under test. The Tracer records these sequences in an 
API trace, which stores all the information required to replay the trace with 
the Untracer. Replaying a trace with the Untracer executes the exact same API 
call sequence that was executed when recording the trace. This is particularly 
useful for replicating interesting behavior that was uncovered while fuzzing the 
API of the solver under test. The Trace Minimizer takes an API trace as input 
and tries to minimize it while preserving its behavior with respect to the solver 
under test. Murxla’s core connects all of these components. It is also responsible 
for interfacing with the SMT solvers and maintaining all sorts and terms created 
by a solver. In the following, we will describe these components in more detail. 


3.1 The Core 


Murxla’s Core manages communication and the sorts and terms created by a 
solver. It consists of three modules: the Actions, the Solver Manager, and the 
Generic Solver API. 


Actions. An action is an abstraction defining a particular interaction with the 
solver under test. These interactions are represented internally as a set of calls 
to the Generic Solver API. Actions are responsible for three tasks: (1) randomly 
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generating API call arguments; (2) executing API calls with a given set of argu- 
ments; and (3) replaying a traced copy of the action. 

Murxla currently implements a base set of 25 actions which wrap the methods 
of the Generic Solver API and include creating and deleting a solver instance, 
configuring solver options, creating sorts and terms, asserting formulas, altering 
the context levels via push and pop, checking satisfiability of asserted formu- 
las (with assumptions), and many more. When executing API calls, actions 
may perform sanity checks on results retrieved from solver API calls. For this, 
Murxla provides a macro MURXLA_TEST which allows C-style assertion checks. 
These remain in the code even if the tool is compiled without assertions. If a 
solver supports more functionality than that covered by the Generic Solver API, 
the solver wrapper can extend the base set with solver-specific actions which 
directly interact with the solver API. 


Solver Manager. The Solver Manager is the central manager for sorts, oper- 
ators, and terms created by the solver. It exposes an interface for actions to 
(i) randomly pick enabled sorts and operators based on certain criteria, and 
(ii) notify the manager of new terms and sorts. The Solver Manager further 
maintains solver-specific configurations of supported theories, sorts, and oper- 
ators. It configures solver-specific behavior by querying the solver wrapper to 
obtain solver-specific configuration information (e.g., solver-specific operators) 
and restrictions (e.g., unsupported sorts and operators). 


Generic Solver API. The Generic Solver API provides a common solver inter- 
face for interacting with a solver under test. It covers the majority of the features 
defined in SMT-LIB, and defines abstract base classes for sort, term and solver 
implementations. It further provides an interface for configuring the Solver Man- 
ager as mentioned above. Integrating a new SMT solver into Murxla amounts to 
implementing these three classes, and optionally, solver-specific configurations, 
in a solver wrapper. 

The Generic Solver API aims at being as general as possible while sup- 
porting all semantic features of the SMT-LIB data model. The Generic Solver 
API further supports “meta” solvers for different purposes. Murxla implements 
meta solvers for: (i) performing checks of witnesses that require additional solver 
instances (model value, unsat core, and unsat assumptions checks); (ii) checking 
the results of one solver instance against another to identify soundness issues; 
(iii) translating API call sequences to the SMT-LIBv2 format; and (iv) SMT- 
LIBv2 input fuzzing of SMT solver binaries in interactive SMT-LIB mode. 


3.2 API Fuzzer 


The API Fuzzer is responsible for generating random but valid API call 
sequences and is the central component of Murxla. Valid API call sequences are 
generated based on an API model which is implemented as a weighted finite- 
state machine (FSM), where states correspond to the current state of the SMT 
solver, and transitions have a weight, a pre-condition, and an associated action. 
Each state of the FSM may provide a pre-condition that defines when it is legal 
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to transition into that state. Taking a transition also executes its action. The 
associated action of a transition may be empty, in which case it leads to the 
next state without calling the solver. The pre-condition of a transition and the 
pre-condition of its next state define the conditions under which the transition 
can be selected, whereas its weight determines the probability of it being taken 
in cases where multiple transitions are enabled at the same time. 

By default, the FSM implements an API model that captures the functional- 
ity and constraints defined in the SMT-LIB standard. And as described above, 
its associated actions call the Generic Solver API. Murxla supports arbitrary 
solver-specific modifications to this FSM by providing a configuration interface 
for solver wrappers (which we discuss in Sect. 3.3 below). 

Configuration of the API Fuzzer and execution of its FSM to generate API 
call sequences for a single run is performed using the following steps. 


1. The solver wrapper makes solver-specific modifications to the FSM. 

2. The API Fuzzer picks a set of enabled theories, with or without quantifiers. 

3. The Solver Manager queries the solver wrapper via the Generic Solver API 
to configure solver-specific extensions and restrictions. 

4. The FSM and Murxla’s core components are finalized, and the FSM is set to 
its initial state; this also creates and initializes the actual solver instance. 

5. Next, a set of compatible solver options is selected and configured. 

6. After that, the API fuzzer chooses an execution of the FSM and executes the 
actions associated with that execution, thereby generating a sequence of calls 
to the solver. This continues until either the solver crashes, the final state is 
reached, or a configured time limit is exceeded. 


In contrast to some recent mutation-based SMT-LIBv2 input fuzzing 
approaches [39,49,51,52], the API Fuzzer is generation-based: it generates 
expressions that, importantly, respect the semantic and API models of the 
solver under test. Non-leaf terms are generated by combining leaf terms (vari- 
ables or theory-specific constants) and previously generated terms via any of 
the enabled operators. To bias the generated terms towards more variety and 
structure, each term maintains a reference count, and terms with lower reference 
counts are selected with a higher probability when constructing new terms. For 
indexed operator kinds (e.g., the extract operator in the theory of fixed-size 
bit-vectors), random integer values up to a configured maximum value (if not 
otherwise restricted by the semantics of the operator) are selected. Similarly, 
arguments to sort constructors (e.g., Array) are sampled from previously gener- 
ated sorts, and sorts with numeric parameters (e.g., bit-vector and floating-point 
sorts) are constructed from randomly selected integer values up to a configured 
maximum value. 

The API fuzzer utilizes a random number generator (RNG) for random deci- 
sions, which is deterministic in the sense that it is guaranteed to produce the 
same sequence of values when given the same starting seed. The API fuzzer 
supports two usage modes: (i) single run, starting with a specific seed; and (ii) 
continuous, consisting of repeated single runs with seeds selected by a dedicated 
Seed Generator, which uses the current time and process ID to generate seeds. 
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Each mode can be restricted to a given set of theories (with or without quan- 
tifiers) via the command line (in this case, step two of the fuzzer configuration 
detailed above is skipped). When in single run mode, Murxla by default sends 
a trace of the run to stdout (and optionally to a file). In continuous mode, each 
run is first executed without tracing. If a run uncovers an issue, it is replayed 
with the same seed and recorded to a trace file. In this mode, Murxla maintains 
a statistics summary with the current number of issues, timeouts, and sat, unsat, 
and unknown results. When an issue is discovered, it reports the corresponding 
seed and solver output. On termination, it provides an overview of all issues, 
deduplicated based on fuzzy matching on the solver output. 

Murxla only reports false positives in rare cases where false positives may 
only be avoided with unreasonable effort, e.g., implementing well-formedness 
checks for algebraic datatypes. 


3.3 Solver Wrappers 


As mentioned above, a solver wrapper is used to connect Murxla to a solver. 
Solver wrappers are typically 2k—4k LOC in size and implement the Generic 
Solver API. If a solver provides features that are different from those covered by 
the Generic Solver API, a solver wrapper can accommodate these differences by 
reconfiguring the FSM of the API Fuzzer to add or remove states, transitions, and 
actions (added actions can be configured to call the API of the solver under test 
directly). Solver wrappers are further responsible for configuring the semantic 
model of the API Fuzzer by (i) adding or removing supported theories and their 
corresponding sorts and operators; and (ii) extending or restricting the set of 
operators for supported theories. Solver wrappers may also implement sanity 
checks of arbitrary complexity by utilizing the MURXLA_LTEST macro. 

The option model of a solver is implemented as part of the Generic Solver 
API. For Bitwuzla, Boolector, and cvc5, this amounts to 15-55 LOC since all 
three can be queried for available options and valid configuration values via the 
API. This allows an automated registration of options with the Solver Manager. 
Yices2 does not provide this feature which requires that options are registered 
explicitly. Note that its option model is currently not implemented. 

Each solver wrapper maintains its own RNG which is used to make choices 
when there are multiple alternative solver API calls for one specific task. This 
RNG is independent from the main RNG of the API Fuzzer and is seeded with 
a value generated by the main RNG for each action execution. These seeds are 
recorded by the Tracer to ensure that random choices can be deterministically 
replicated when replaying a traced run of the API Fuzzer. 


3.4 Tracer, Untracer, Trace Minimizer 


The Tracer records all action executions with their corresponding arguments 
and return values in a text-based format. Each action line in the trace follows the 
pattern <seed> <action> [<args...>], optionally followed by a return statement 
of the form return <values...> for actions that create sorts or terms. The <seed> 
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a 


74761 new 

65471 set-logic QF_BV 

33949 mk-sort SORT_BOOL 
return si 

64345 mk-sort SORT_BV 8 
return s2 

49391 mk-const s2 "a" 
return ti 

89712 mk-const s2 "b" 
return t2 

6548 mk-term OP_EQUAL SORT_BOOL 2 ti t2 
return t3 si 

20351 assert-formula t3 

47017 check-sat 

74496 delete 


Fig. 2. Murxla trace for checking a = b for bit-vectors a and b of size 8. 


in an action is the seed of the solver wrapper’s RNG when executing the action. 
It is recorded to ensure that random choices made by the solver wrapper can 
be deterministically replicated. This is especially important when minimizing a 
trace, since modifying trace lines may change the way the main RNG behaves 
when replaying the trace. Sorts are recorded as s<id> and terms as t<id>, and 
the <args...> of an action line determine all sort, term and numerical arguments 
required to replay the execution of the given action. Similarly, the <values. .> of 
a return statement record all of its sort and term return values. Figure 2 shows 
an example of a trace generated by Murxla. It records the action sequence for 
checking the satisfiability of a = b, where a and b are bit-vectors of size 8. 
Note that when creating terms via mk-term, we trace argument lists while also 
providing the number of arguments, e.g., 2 t1 t2. The same applies for indices 
of indexed operators. Further, for any action that creates terms that are added 
to the term database (e.g., mk-term), we also need to trace the sort of the created 
term, e.g., return t3 s1. This is due to the fact that some operators create terms 
of new sorts that may not have been encountered in the trace yet. 

The Untracer takes a trace as input and replays each recorded action, 
thereby replicating the behavior of the original execution. This is especially use- 
ful for debugging erroneous behavior of the solver under test. Additionally, if a 
trace does not contain any solver-specific extensions, the Untracer can replay it 
using a different solver or translate it to the SMT-LIBv2 format. Tracing actions 
instead of calls to the Generic Solver API has the advantage that both the API 
Fuzzer and the Untracer can use the same infrastructure for communicating with 
the solver under test. Furthermore, supporting solver-specific actions does not 
require changes to any component other than the solver wrapper. 

The Trace Minimizer is built on top of the Untracer and minimizes a 
given trace while preserving the behavior of the original execution. It implements 
simple ddmin-style [53] minimization techniques in three phases: (i) line-based 
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minimization to reduce the number of trace lines; (ii) minimization of action 
lines to reduce the number of arguments; and (iii) term substitution, where 
terms are replaced with simpler terms of the same sort. Even though all of these 
minimization techniques are rather basic, the Trace Minimizer typically reduces 
the size of a trace to less than 10% of the original trace. If the minimized trace 
can be translated to SMT-LIB, then it can often be further reduced using a 
delta-debugging tool such as ddSMT [37]. Even if a minimized trace cannot be 
expressed in SMT-LIB due to solver-specific extensions, we have found that in 
practice, the reduction due to the Trace Minimizer is typically good enough to 
allow efficient debugging. 


4 Evaluation 


We evaluate the efficacy of Murxla in three experiments, comparing: (1) Murxla 
and BtorMBT, testing Boolector; (2) Murxla and the current state-of-the-art 
input fuzzers STORM [39] and TypeFuzz [47]; and (3) Murxla with and without 
option fuzzing. For this evaluation, we target soundness issues and crashes, and 
do not consider performance regressions. In the following, we use issues to mean 
crashes unless explicitly otherwise noted. We use Bitwuzla commit eea0973 [5], 
Boolector commit b157b10 [6], cvc5 commit OfSee6b [7], and Yices2 commit 
09f1621 [8]. For each experiment we compare the number of issues uncovered 
by each tool, and the code coverage of the solver under test. Code coverage 
was measured with gcov, which is part of the GNU Compiler Collection [9]. We 
performed all experiments in an Ubuntu 21.04 Docker container on a machine 
with an AMD Threadripper 3970X CPU and 128GB of memory and used a one 
hour wall-clock time limit for each experiment and tool. 


Murxla vs. BtorMBT. We compare the effectiveness of fuzzing Boolector with 
Murxla against that of its own custom API fuzzer BtorMBT. We ran both tools 
in continuous mode with a one second time limit per single run. Murxla achieves 
a line (function) coverage of 81% (88%) and finds 18 issues (including 3 known 
reported issues). BtorMBT achieves 72% (81%) coverage, but does not find any 
issues. BtorMBT does not support quantifiers, and three of the issues found by 
Murxla are located in Boolector’s quantifiers module. The other issues, however, 
occur in code that is covered by BtorMBT. 


Murxla vs. STORM, TypeFuzz. We test cvc5 with Murxla, STORM, and 
TypeFuzz on QF_SLIA problems. We use all QF_SLIA benchmarks in the SMT- 
LIB benchmark library as seed files for STORM and TypeFuzz. Both Storm 
and TypeFuzz mainly target soundness issues. TypeFuzz requires using at least 
two SMT solvers as it relies on comparing their results, whereas Storm creates 
satisfiable formulas by construction and does not require cross-checking. Hence, 
we additionally use a cross-checking configuration of Murxla (Murzla-cc), which 
compares Z3 version 4.8.14 and cvc5. Since Murxla does not yet integrate Z3, 
we use it via Murxla’s SMT-LIBv2 interface in interactive SMT-LIB mode (the 
input fuzzing mode). Note that this requires disabling solver-specific extensions 
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Table 1. Number of issues (I), and line (L) and function (F) coverage for experiments 
two (top) and three (bottom). Option fuzzing for Yices2 is not yet implemented (-). 


Murxla STORM Murxla-cc TypeFuzz 
L [%] F [%] I L [%] F [%] I L [%] F [%] I L [%] F [%] 1 
37.8 52.5 720.2 34.3 021.5 36.3 1 17.4 30.8 0 


Option Bitwuzla Boolector cvc5 Yices2 

Fuzzing L [%] F [%] I L[%] F[%]] I L [%] F[%] I L [%] F[%] I 
no 47.4 63.9 7 68.5 79.2 6 38.9 56.8 11 37.0 42.4 1 
yes 62.9 75.8 23 81.1 87.7 13 49.1 66.8 21 - - 


of cvc5, since they are unsupported by Z3. The results are shown in Table 1. 
Murxla and Murxla-cc have consistently higher coverage than the other tools 
and find 8 issues, whereas the other tools find none. Most notably Murxla-cc was 
able to find a model unsoundness issue in cvc5, where cvc5 incorrectly reports 
satisfiable due to an incorrect rewrite rule for the re.1loop operator [1]. 


Option Fuzzing. We evaluate the effectiveness of Murxla with and without 
option fuzzing on all supported solvers. We use the default configuration of 
Murxla, which tests all supported features for each solver. The results are shown 
in Table 1 and showcase the efficacy of option fuzzing both for improving cov- 
erage and for finding issues. In its best configuration, Murxla achieves an API 
function coverage of 85% for Bitwuzla, 94% for Boolector, 68% for cvc5, and 46% 
for Yices2. cvc5 provides the richest API, supporting not only all of SMT-LIB 
but also non-standard theories and non-SMT features like SyGuS and high-order 
reasoning, which are not yet supported in Murxla. Bitwuzla and Boolector export 
parsing via the API, which is currently only supported in Murxla for Boolector. 
Coverage for Yices2 is low in comparison as it was integrated as a proof of con- 
cept, and its wrapper does not yet implement all of its features nor its option 
model. 


The artifact containing the experimental data of this evaluation is available 
at https: //zenodo.org/record/6494381. 


5 Conclusion 


Our experimental evaluation shows that Murxla quickly and effectively finds 
issues in multiple state-of-the-art SMT solvers—even for logics like QF SLIA 
which have been the subject of month-long fuzzing campaigns [39,47,51,52] over 
the last two years. Furthermore, during the past few months, while finalizing and 
testing Murxla, we found many more issues in these solvers—more than 100 for 
cvc5 alone, and some of them critical [3,4]. Based on this success, we believe 
that Murxla will be a valuable tool for stress-testing SMT solvers and thereby 
improving their correctness and robustness. We are currently in the process of 
integrating it into the development workflow of Bitwuzla, Boolector and cvc5. 
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sion between (nondeterministic) Biichi automata, a PSPACE-complete 
problem. Our approach, like others before, leverage a notion of qua- 
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which are subsumed by others for the quasiorder. Discarded candidates 
are guaranteed to not compromise the completeness of the algorithm. 
The novelty of our work lies in the quasiorder used to discard candi- 
dates. We introduce FORQs (family of right quasiorders) that we obtain 
by adapting the notion of family of right congruences put forward by 
Maler and Staiger in 1993. We define a FORQ-based inclusion algorithm 
which we prove correct and instantiate it for a specific FORQ, called the 
structural FORQ, induced by the Biichi automaton to the right of the 
inclusion sign. The resulting implementation, called FORKLIFT, scales 
up better than the state-of-the-art on a variety of benchmarks includ- 
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as the underlying formal model. In these settings, Biichi automata respectively 
encode 1) the behaviors of a system as well as properties about it; and 2) the 
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complies with a specification naturally reduce to a language inclusion problem 
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In this paper we propose a new algorithm for the inclusion problem 
between w-regular languages given by Biichi automata. The problem is PSPACE- 
complete [23] and significant effort has been devoted to the discovery of algo- 
rithms for inclusion that behave well in practice [8,10,14,18,22,25]. Each pro- 
posed algorithm is characterized by a set of techniques (e.g. Ramsey-based, 
rank-based) and heuristics (e.g. antichains, simulation relations). The algorithm 
we propose falls into the category of Ramsey-based algorithms and uses the 
antichain [11] heuristics: the search for counterexamples is pruned using qua- 
siorders. Intuitively when two candidate counterexamples are comparable with 
respect to some considered quasiorder, the “higher” of the two can be discarded 
without compromising completeness of the search. In our setting, counterexam- 
ples to inclusion are ultimately periodic words, i.e., words of the form uv”, where 
u and v are called a stem and a period, respectively. Therefore pruning is done by 
comparing stems and periods of candidate counterexamples during the search. 

In the work of Abdulla et al. [7,8] which was further refined by Clemente et 
al. [10] they use a single quasiorder to compare both stems and periods. Their 
effort has been focused on refining that single quasiorder by enhancing it with 
simulation relations. Others including some authors of this paper, followed an 
orthogonal line [13,22] that investigates the use of two quasiorders: one for the 
stems and another one, independent, for the periods. The flexibility of using 
different quasiorders yields more pruning when searching for a counterexample. 
In this paper, we push the envelope further by using an unbounded number of 
quasiorders: one for the stems and a family of quasiorders for the periods each of 
them depending on a distinct stem. We use the acronym FORQ, which stands for 
family of right quasiorders, to refer to these quasiorders. Using FORQs leads to 
significant algorithmic differences compared to the two quasiorders approaches. 
More precisely, the algorithms with two quasiorders [13,22] compute exactly two 
fixpoints (one for the stems and one for the periods) independently whereas the 
FORQ-based algorithm that we present computes two fixpoints for the stems and 
unboundedly many fixpoints for the periods (depending on the number of stems 
that belong to the first two fixpoints). Even though we lose the stem/period 
independence and we compute more fixpoints, in practice, the use of FORQs 
scales up better than the approaches based on one or two quasiorders. 

We formalize the notion of FORQ by relaxing and generalizing the notion 
of family of right congruences introduced by Maler and Staiger [30] to advance 
the theory of recognizability of w-regular languages and, in particular, questions 
related to minimal-state automata. Recently, families of right congruences have 
been used in other contexts like the learning of w-regular languages (see [9] and 
references therein) and Biichi automata complementation [26]. 

Below, we describe how our contributions are organized: 


— We define the notion of FORQs and leverage them to identify key finite sets 
of stems and periods that are sound and complete to decide the inclusion 
problem (Sect. 3). 

— We introduce a FORQ called the structural FORQ which relies on the structure 
of a given Btichi automaton (Sect. 4). 
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— We formulate a FORQ-based inclusion algorithm that computes such key 
sets as fixpoints, and then use these key stems and periods to search for 
a counterexample to inclusion via membership queries (Sect. 5). 

— We study the algorithmic complexity of the FORQ-based inclusion algorithm 
instantiated with structural FORQs (Sect. 6). 

— We implement the inclusion algorithm with structural FORQs in a prototype 
called FORKLIFT and we conduct an empirical evaluation on a set of 674 
benchmarks (Sect. 7). 


2 Preliminaries 


Languages. Let X be a finite and non-empty alphabet. We write X* to refer 
to the set of finite words over X and we write £ to denote the empty word. 
Given u € X*, we denote by |u| the length of u. In particular |e| = 0. We also 
define + = X* \ {e}, and XY” £ {u € X* | |u| V n} with V € {<, >}, 
hence X* = X20, Yt = X21, We write X® to refer to the set of infinite words 
over X. An infinite word u € X*® is said to be ultimately periodic if it admits 
a decomposition u = uv” with u € X* (called a stem) and v € X+ (called a 
period). We fix an alphabet X throughout the paper. 


Order Theory. Let E be a set of elements and x be a binary relation over E. 
The relation x is said to be a quasiorder when it is reflexive and transitive. Given 
a subset X of E, we define its upward closure with respect to the quasiorder x 
by x|X = {e € E | dx € X,x x e}. Given two subsets X,Y C E the set 
Y is said to be a basis for X with respect to x, denoted By(Y, X), whenever 
Y C X and ,|X = „1Y. The quasiorder x is a well-quasiorder iff for each set 
X C E there exists a finite set Y C E such that B,.(Y,X). This property on 
bases is also known as the finite basis property. Other equivalent definitions of 
well-quasiorders can be found in the literature [27], we will use the followings: 


1. For every {e;}ien € EN there exists i, j € N with i < j such that e; x ej. 
2. No sequence {X;}icn € p(E)N is such that x{Xı Ç x| X2 Ç ... holds.! 


Automata. A (nondeterministic) Büchi automaton B (BA for short) is a tuple 
(Q,qr, 4, F) where Q is a finite set of states including qr, the initial state, 
A C Qx » x Q is the transition relation, and, F C Q is the set of accepting 
states. We lift A to finite words as expected. We prefer to write B: q u, q2 
instead of (q1, u, q2) € A. In addition, we write B: qı _“, 7 q2 when there exists a 
state qr E€ F and two words u1, u2 such that B: q “1, qr %2, q2, and u = uy U2. 

A run 7 of B over u = aoa: E€ &” is a function 7: N — Q such that 
m(O) = qr and for all position i € N, we have that B: m(i) a, m(i+ 1). A 
run is said to be accepting if x(t) € F for infinitely many values of i € N. The 
language L(B) of words recognized by B is the set of w-words for which B admits 
an accepting run. A language L is w-regular if it is recognized by some BA. 


1 The notation p(E) denotes the set of all subsets of E. 
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3 Foundations of Our Approach 


Let A = (P, pr, A4, Fa) be a Biichi automaton and M be an w-regular language. 
The main idea behind our approach is to compute a finite subset T4 of ultimately 
periodic words of L(A) such that: 


TaCM 4> L(A)CM. (t) 


Then L(A) C M holds iff each of the finitely many words of T4 belongs to M 
which is tested via membership queries. 

First we observe that such a subset always exists: if the inclusion holds take 
T4 to be any finite subset of L(A) (empty set included); else take T4 to contain 
some ultimately periodic word that is a counterexample to inclusion. In what 
follows, we will show that a finite subset T4 satisfying (7) can be computed by 
using an ordering to prune the ultimately periodic words of L(A). We will obtain 
such an ordering using a family of right quasiorders, a notion introduced below. 


Definition 1 (FORQ). A family of right quasiorders is a pair (<,{Su}uex) 
where < C X* x X* is a right-monotonic? quasiorder as well as every <, C 
X* x X* where u € X*. Additionally, for all u,u’ € X*, we require u <u’ > 


Kw C Sy called the FORQ constraint. 


First, we observe that the above definition uses separate orderings for stems 
and periods. The definition goes even further, the ordering used for periods is 
depending on stems so that a period may or may not be discarded depending on 
the stem under consideration. The FORQ constraint tells us that if the periods 
v and w compare for a stem u’, that is v Xw w, then they also compare for 
every stem u subsuming wu’, that is v <, w if u S v’. 

Expectedly, a FORQ needs to satisfy certain properties for T4 to be finite, 
computable and for (ț) to hold (in particular the left to right direction). The 
property of right-monotonicity of FORQs is needed so that we can iteratively 
compute T4 via a fixpoint computation (see Sect. 5). 


Definition 2 (Suitable FORQ). A FORQ F £ (<,{Suhucx+) is said to be 
finite (resp. decidable) when <, its converse <~!, and {<,} for all u € X* are 
all well-quasiorders (resp. computable). Given L C &“, F is said to preserve L 
when for all u,û € X* and all v, € Xt if uv” € L, u L û, v Sa 6 and tt < û 
then tt” € L. Finally, F is said to be L-suitable (for inclusion) if it is finite, 
decidable and preserves L. 


Intuitively, the “well” property on the quasiorders ensures finiteness of T4. 
The preservation property ensures completeness: a counterexample to L(A) C M 
can only be discarded (that is, not included in T4) if it is subsumed by another 
ultimately periodic word in T4 that is also a counterexample to inclusion. 

Before defining T4 we introduce for each state p € P the sets of words 


Stem, = {ue X* | A: pr u, p} and Per,={veEXt|A:p_v p}. 


2 A quasiorder x on X* is right-monotonic when ux v implies u wx v w for all w € X*. 
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The set Stem, is the set of stems of L(A) that reach state p in A while the 
set Per, is the set of periods read by a cycle of A on state p. 
Given a M-suitable FORQ F = (<, {<u}ues~), we let 


N 


Ta Ê {uv | ds € Fa: u € Us, v € VX for some w € Ws withu Sw} (4) 


where for all p € P, the set Up is a basis of Stem, with respect to <, that 
is B<(Up, Stem,) holds. Moreover B<-ı (Wp, Stemp) holds and B<,,(V,”, Perp) 
holds for all w € Wp. Note that the quasiorder <,, used to prune the periods 
of Per, depends on a maximal w.r.t. < stem w of Stem, since w belongs to the 
basis W, for <~'. The correctness argument for choosing <,, essentially relies 
on the FORQ constraint as the proof of ({) given below shows. In Sect.8 we 
will show, that when w is not “maximal” the quasiorder S,, yields a set T4 for 
which (f) does not hold. 

Furthermore, we conclude from the finite basis property of the quasiorders of 
F that Up, Wp and {V," }wes~ are finite for all p € P, hence T4 is a finite subset 
of ultimately periodic words of L(A). Next we prove the equivalence (t). The 
proof crucially relies on the preservation property of F which allows discarding 
candidate counterexamples without loosing completeness, that is, if inclusion 
does not hold a counterexample will be returned. 


Proof (of ({)). Consider Ultima = {uv | ds € Fa: u E€ Stems, v € Pers, uv < 
u}. It is easy to show that Ultima = {uv® | ds € Fy: u E€ Stem,,u E€ Per,} 
(same definition as Ultim, but without the constraint uv < u) by reasoning 
on properties of well-quasi orders.* It is well-known that w-regular language 
inclusion holds if and only if it holds for ultimately periodic words. Formally 
L(A) C M holds if and only if Ultim, C M holds. Therefore, to prove (7), we 
show that T4 C M & Ultima C M. 

To prove the implication Ultima C M = Ta C M we start by taking a 
word uv’ € Ty, such that, by definition (t), u € Us and v € V.” for some 
s € Fy and w € Ws. We conclude from 8<(U;,Stem,) and B<,,(V;”, Pers) that 
u € Us C Stems and v € VY C Pers. Thus, we find that uv” € Ultima hence 
the assumption Ultim, C M shows that wv” € M which proves the implication. 

Next, we prove that Ta C M = Ultima C M holds as well. Let uv” € 
Ultim4, i.e., such that there exists s € F4 for which u € Stem, and v € Pers, 
satisfying uv < u. Since u € Stem, and v € Pers, there exist uo € Us, wo E Ws 
and vo € V% such that uo S u < wo and vo Sw, v thanks to the finite basis 
property. By definition we have ugvg € T4 and thus we find that ugvg € M since 
Ta C M. Next since u < wo, the FORQ constraint shows that <u, C Su which, 
in turn, implies that vo S,, v holds. Finally, we deduce from ugu E€ M, uo < u, 
vo Su v, uv < u and the preservation of M by the FORQ F that wv” € M. We 
thus obtain that Ultim, C M and we are done. 


3 The case C is trivial. For the case D, let uv“ with u € Stem, and v € Pers. If 
uv < u then we are done for otherwise consider the sequence {uv lien. Since <t 
is a well-quasiorder, there exists x,y € N such that z < y and wv” F uv” (viz. 
uv” < uv”). Therefore we have (wv”)(v¥~*)* = uv”, (uv?) € Stems, (v¥~*) € Pers, 
and (uv”)(v%~”) < (uv”), hence uv” € Ultima. 
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Example 3. To gain more insights about our approach consider the BAs of Fig. 1 
for which we want to check whether L(A) C L(B) holds. From the description 
of A it is routine to check that Stem,, = X* and Per,, = Xt. Let us assume 
the existence* of < (hence <71), K. and <aa such that a < aa holds and so 
does B<({e, a}, X*), B<-1({e, aa}, X*), B<_({b}, XT) and B<,, ({a}, V+). In 
addition, we set Up, = {e,a} since B<({e,a},&*) and Wp, = {e,aa} since 
B<-1({e, aa}, X*). Moreover Vf, = {b} since B<,({b}, X+), and V,2* = {a} 
since B<,,({a}, Xt). Next by definition (t) of T4 and from a < aa we deduce 
that Ta = {e(b)”,a(a)”}. Finally, we conclude from (f) and a” € Ty that 
a” € L(A) (since Ta C L(A)) hence that L(A) £ L(B) because a” ¢ L(B). By 
checking membership of the two ultimately periodic words of T4 into L(B) we 
thus have shown that L(A) C L(B) does not hold. 


In the example above we did not detail how the FORQ was obtained let alone 
how to compute the finite bases. We fill that gap in the next two sections: we 
define FORQs based on the underlying structure of a given BA in Sect.4 and 
show they are suitable; and we give an effective computation of the bases hence 
our FORQ-based inclusion algorithm in Sect. 5. 


4 Defining FORQs from the Structure of an Automaton 


In this section we introduce a type of FORQs called structural FORQs such that 
given a BA B the structural FORQ induced by B is L(B)-suitable. 


Definition 4. Let B £ (Q,qr, Ag, Fg) be a BA. The structural FORQ of B is 
the pair (<8, {<®}ues~) where the quasiorders are defined by: 


uy <P ug <> Tgt,(u1) C Tgt,(ue) 


vı SB vo <> Cxtg(Tgt,(u), v1) C Cxtg(Tgt,(u), v2) 
with Tgtg: p(Q) x X* — p(Q) and Cxtg: p(Q) x Z* > p(Q? x {1, T}) 


Tgtglu) {d € Q| B: qr“, q} 
Cxtg(X,v) = {(a,0,k)|¢E€X,B:¢ 2d, (k= TSB: ¢q 2 ro} 


Given u € X*, the set Tgt,(u) contains states that u can “target” from 
the initial state gr. A “context” (q,q', k) returned by Cxtg, consists in a source 
state q E€ Q, a sink state q' € Q and a boolean k € {T, L} that keeps track 
whether an accepting state is visited. Note that, having L as last component of 
a context does not mean that no accepting state is visited. When it is clear from 
the context, we often omit the subscript 6 from Tgt, and Cxtg. Analogously, we 
omit the BA from the structural FORQ quasiorders when there is no ambiguity. 


Lemma 5. Given a BA B, the pair (<8, {88 }ue s+) of Definition 4 is a FORQ. 


4 The definition of the orderings, needed to compute the bases, are given in Example 6. 
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(A) a,b (B) a,b 


b 
Q a,b Q a,b Q 
>¢) OE R) 


Fig. 1. Büchi automata A and B over the alphabet X = {a,b}. 


Proof. Let B £ (Q, qr, Ag, Fg) be a BA, we start by proving that the FORQ 
constraint holds: u <8 u! => <8, C <®. First, we observe that, for all Y C 
X C Q and all v, v’ € X*, we have that Cxt(X,v) C Cxt(X,v’) > Cxt(Y,v) C 
Cxt(Y,v’). Consider u,u’ € X* such that u <8 u’ and v,v’ € X* such that 
v SB, vu’. Let X £ Tgt(u) and X’ £ Tgt(u’), we have that X C X’ following 
u <Ë u’. Next, we conclude from v <8, v' that Cxt(X’,v) C Cxt(X’,v’), hence 
that Cxt(X,v) C Cxt(X,v’) by the above reasoning using X C X’, and finally 
that v <8 v' 

For the right monotonicity, Definition 4 shows that if Tgt(u) C Tgt(v) then 
Tgt(ua) C Tgt(va), hence we have u < v implies ua < va for all a € X. The 
reasoning with the other quasiorders and Cxt proceeds analogously. 


Example 6. Consider the BA B of Fig. 1 and let (<, {<u}uex«) be its structural 
FORQ. More precisely, we have Tgt(e) = {qr}; Tgt(a) = Tgt(b) = {qi}; and 
Tgt(u) = {q1, q2} for all u € S2?. In particular we conclude from u1 < uz <> 
Tgt(ui) C Tgt(u2) that a < aa, a < band b < a; £ and a are incomparable; and 
so are € and aa. Since Tgt has only three distinct outputs, the set {<u puc 5* 
contains three distinct quasiorders. 


l. vy Se ve Ss Cxt({qr}, v1) E Cxt({qr}, v2) where 
— Cxt({ar},€) = {(a7, ar, L)} 
— Cxt({qr},a) = Cxt({ar}, b) = {(a7,m, L)} 
— Cxt({qr}, v) = {(ar, q1; L), (a7, 92, L), (ar, q2, T)} for all v € X2? 
2. v1 Sa v2 <> v1 Sp vo > Cxt({q1}, v1) C Cxt({qi}, v2) where 
— Cxt({q1}, £) = {(a.a,+ 
- Cxt({q1}, v) = {(m,%,1), (q1, 92,1), (a1, q2, T)} for all v € X+ 
3. U1 Su, v2 <=> V1 Lu, v2 Ss Cxt({qi,q2$,u1) C Cxt({q, q2}, v2) for all 
u1, U2 € XZ? where 
~ Cxt({q1; q2}, €) = {(a,a,1), (a, a, 4 
— Cxt({q1, q2}, v) = {(41; q1; L), (q1; q2, L 
— Cxt({q,2},v) = {(q1,41;L),(q1,92;L) 
all v € {b}* 


Ww 
~~ 


,(q2, 92, T)} 
(q1, G2, |)} for all v € YF {b} + 


(q 92, T),(¢2,92,-L),(q2,92,T)} for 


L) 
) 


With the above definitions the reader is invited to check the following 
predicates B<({e,a}, &*), B<({e,b}, X*), B<-ı({e, aa}, X*), B<. ({b}, XF), 
B<, ({b}, V+) and B<,,({a}, Xt). Also observe that none of the above finite 
bases contains comparable words for the ordering thereof. We also encourage the 
reader to revisit Example 3. 
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As prescribed in Sect. 3, we show that for every BA B its structural FORQ is 
L(B)-suitable, namely it is finite, decidable and preserves L(B). 


Proposition 7. Given a BA B, its structural FORQ is L(B)-suitable. 
Proof. Let B = (Q, qr, Ag, Fg) bea BA and F £ (<, {Xu uc 5+) be its structural 


FORQ. The finiteness proof of F is trivial since Q is finite and so is the proof 
of decidability by Definition4. For the preservation, given u uj € L(B), we 
show that for all u € X* and all v € X*+ such that uv < u and uo < u and 
vo Su v then uv” € L(B) holds. Let a run mo Ê qr Yo, qo Yo, qı Yo, q2... of 
B over ugu which is accepting. Stated equivalently, we have qo € Tgt(uo) and 
(qi, Gi+1, Vi) E€ Cxt(Tgt(uov)), vo) for every i € N with the additional constraint 
that x; = T holds infinitely often. 

We will show that B has an accepting run over wv” by showing that 
qo € Tgt(u) holds; (qi, qi+1, £i) € Cxt(Tgt(uv’),v) holds for every i € N; 
and x; = T holds infinitely often. Since uo < u and go € Tgt(uo) we find 
that qo € Tgt(u) by definition of <. Next we show the remaining constraints 
by induction. The induction hypothesis states that for all 0 < n we have 
(dn; dqn+1, £n) E€ Cxt(Tgt(wv”), v). For the base case (n = 0) we have to show that 
(qo;q1;, £0) E€ Cxt(Tgt(u),v). We conclude from (qo, q1, £o) E€ Cxt(Tgt(w), vo), 
vo Su v and the definition of <, that Cxt(Tgt(u), vo) C Cxt(Tgt(u), v) 
and finally that (qo,q1,2%0) E€ Cxt(Tgt(u),v). For the inductive case, assume 
(dn; Qnti,0n) E Cxt(Tgt(uv”),v). The definition of context shows that qn+1 € 
Tgt(uwv"*). It takes an easy an induction to show that uv” < u for all n 
using uv < u and right-monotonicity of <. We conclude from uv"t! < u, 
the definition of < and qn+1 € Tgt(uv"*!) that dn41 € Tgt(u) also holds, 
hence that (dn+41, Gn+2;%n+1) E Cxt(Tgt(u), vo) following the definition of con- 
texts and that of mo. Next, we find that (qn41,dn42,2n41) E€ Cxt(Tgt(u),v) 
following a reasoning analogous to the base case, this time starting with 
(dn+1; an+2; En+1) = Cxt(Tgt(u), vo)). Finally, Anti €E Tgt(uv”t!) implies that 
(dn+1, qn+2, £n+1) € Cxt(Tgt(uv®”t!), v). We have thus shown that qo € Tgt(u) 
and (qi, qi+1, zi) € Cxt(Tgt(uv'),v) for every i € N with the additional con- 
straint that x; = T holds infinitely often and we are done. 


5 A FORQ-Based Inclusion Algorithm 


As announced at the end of Sect. 3 it remains, in order to formulate our FORQ- 
based algorithm deciding whether L(A) C M holds, to give an effective compu- 
tation for the bases defining T4. We start with a fixpoint characterization of the 
stems and periods of BAs using the function Reat.4: p(X*)Pl > p(X*)IPI: 


Rcata(X).p ê X.pu {wae S*|we X.p',aeS,A: p a p} 


where S.p denotes the p-th element of the vector Õ € e(5*)IPl. In Fig. 2, the 
repeat /until loops at lines 4 and 5 compute iteratively subsets of the stems of A, 
while the loop at line 10 computes iteratively subsets of the periods of A. The 
following lemma formalizes the above intuition. 
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Input: Biichi automaton A £ (P, pr, Aa, Fa) 
Input: w-regular language M with procedure deciding uv” € M given u,v 
Input: M-suitable FORQ F £ (<, {Su}uexr«) 
Output: Returns ok if L(A) C M and ko otherwise 
1 Function: 
let Uo € pa as Uy.p ê Ø with p £ pr and Ūo.pr £ {e} 


2 
3 W:=U=p 
4 repeat W :=Rcat ,(W) until Bic (W. p, Rcat a (W V).p) for allp € P 
5 repeat U := Rcat4(Ū) until s<(Ü. p,Rcat4(Ū).p) for allp € P 
6 for each s € F4 do 
7 let Vi € p(5*) P! as Ve pS {ac X| A:s a p}withpeP 
8 for each w € W.s do 
9 y: := Ve 
10 repeat V* := Rcat 4(V°) until B<,, (V*.p,Rcat_4(V*).p) for all p € P 
11 for each v € V*.s do 
12 for each u € U.s such that u < w do 
13 | if uv” ¢ M then return ko 
14 return ok 


Fig. 2. FORQ-based algorithm 


Lemma 8. Consider Uy and V£ (with s € F4) in the FORQ-based algorithm. 
The following holds for all n € N: 


Rcat% (Up) .p = Stem, N XS” for all p E€ P, and Rcat4(VE).s = Pers A US"! . 


Prior to proving the correctness of the algorithm of Fig. 2 we need the follow- 
ing result which is key for establishing the correctness of the repeat/until loop 
conditions of lines 4, 5, and 10. 


Lemma 9. Let x be a right-monotonic quasiorder over X*. Given 
AS(P. Pr, Aa, FA) and 5, Š € P(X )PI, if By (S’.p, S.p) holds for all p € P 
then By (Rcat (3) .p,Rcat 4(S). p) holds for all p € P. 


Proof. Consider w € Reat 4($).p where p € P, we show that there exists w’ € 
Reat 4(9’).p such that w x w. Assume that Bi. (S'.p, S.p) holds for all p € P. 
In particular, for all w, € $.p, there exists w, € S’.p such that w, x wy. In the 
case where w € Rcat 4(S).p\ S.p, by definition of Reat 4 w is of the form w2a 
for some a € X and some wz € S.p such that A: p _a p. Since B,. (9 .p, S.p) 
and wa € S.p, there exists w3 € S.p such that w3 x wə. We deduce that 
w3a xX w2a holds, hence w3a x w1 holds as well from the right-monotonicity of x. 
Furthermore w3a € Rcat4(9').p by definition of Rcat4 and since A: p_a p. 
Finally, we conclude that By (Reat ,(S’), Rcat 4(9)) holds. 
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Theorem 10. The FORQ-based algorithm decides the inclusion of BAs. 


Proof. We first show that every loop of the algorithm eventually terminates. 
First, we conclude from the definition of Rcat4 and the initializations (lines 3 
and 9) of each repeat/until loop (lines 4, 5, and 10) that each component of 
each vector holds a finite set of words. Observe that the halting conditions of 
the repeat /until loops are effectively computable since every quasiorder of F is 
decidable and because, in order to decide 8, (Y,X) where X,Y are finite sets 
and x is decidable, it suffices to check that Y C X and that for every x € X 
there exists y € Y such that y x x. Next, we conclude from the fact that all the 
quasiorders of F used in the repeat /until loops are all well-quasiorders that there 
is no infinite sequence {X;}icn such that x] X1 G x] Xo G ... Since By (Y, X) 
is equivalent to Y C X A |X Cc xl and since each time Rcat4 updates a 
component its upward closure after the update includes the one before, we find 
that every repeat /until loop must terminate after finitely many iterations. 

Next, we show that when the repeat/until loop of line 5 halts, 
B< (Ū .p, Stem,) holds for all p € P. It takes an easy induction on n together with 
Lemma 9 to show that if B<(Reat" +! (Uo).p, Reat”, (Uo) -p) holds for all p € P 
then B<(Rcat” (Uo).p, Rcat”}(Uo).p) holds for all m > n. Hence Lemma 8 shows 
that B<(Reat*, (Uo)-p, Stem,) holds for all p € P where k is the number of iter- 
ations of the repeat /until loop implying B<(U .p, Stemp) holds when the loop of 
line 5 halts. 

An analogue reasoning shows that B<1(W.p, Stem,) holds for all p € P, as 
well as B<, (V*.s,Per,) holds for all w € W.s and all s € F4 upon termination 
of the loops of lines 4 and 10. 

To conclude, we observe that each time a membership query is performed 
at line 13, the ultimately periodic word uv“ belongs to T4 defined by (t). 
This is ensured since u € B<(U.s, Stems), we B<1(W.s,Stem,), v E€ 
B<, (V*.s,Pers) for some s € F4 and, thanks to the test at line 12, the com- 
parison u < w holds. 


Remark 11. The correctness of the FORQ-based algorithm still holds when, 
after every “:=” assignment (at lines 3, 4, 5, 9 and 10), we remove from the 
variable content zero or more subsumed words for the corresponding ordering. 
The effect of removing zero or more subsumed words from a variable can be 
achieved by replacing assignments like, for instance, U := Rcat aU ) at line 5 
with U := Rcat ,(U); U := U, where U, satisfies B<(U,.p, U0 .p) for all p € P. 
The correctness of the previous modification follows from Lemma 9. Therefore, 
the sets obtained by discarding subsumed words during computations still satisfy 
the basis predicates of T4 given at (t). 


It is worth pointing out that the correctness arguments developed above, do 
not depend on the specifics of the structural FORQs. The FORQ-based algorithm 
is sound as long as we provide a suitable FORQ. Next we study the algorithmic 
complexity of the algorithm of Fig. 2. 
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6 Complexity of the Structural FORQ-Based Algorithm 


In this Section, we establish an upper bound on the runtime of the algorithm 
of Fig.2 when the input FORQ is the structural FORQ induced by a BA B. 
Let na and ng be respectively the number of states in the BA A and B. We 
start by bounding the number of iterations in the repeat/until loops. In each 
repeat /until loop, each component of the vector holds a finite set of words the 
upward closure of which grows (for C) over time and when all the upward closures 
stabilize the loop terminates. In the worst case, an iteration of the repeat/until 
loop adds exactly one word to some component of the vector which keeps the 
halting condition falsified (the upward closure strictly increases). Therefore a 
component of the vector cannot be updated more than 2”8 times for otherwise 
its upward closure has stabilized. We thus find that the total number of iterations 
is bounded from above by n4-2”® for the loops computing Ü and W. Using an 
analogous reasoning we conclude that each component of the V vector has no 
more than 2(2”8") elements and the total number of iterations is upper-bounded 
by na: 22ns°) To infer an upper bound on the runtime of each repeat /until 
loop we also need to multiply the above expressions by a factor |X| since the 
number of concatenations in Rcat depends on the size of the alphabet. 

Next, we derive an upper bound on the number of membership queries per- 
formed at line 13. The number of iterations of the loops of lines 6, 8, 10, 11 
and 12 is na, 28, nq - 228"), 225") and 2", respectively. Since all loops 
are nested, we multiply these bounds to end up with n% - 201%) as an upper 
bound on the number of membership queries. The runtime for each ultimately 
periodic word membership query (with a stem, a period and B as input) is upper 
bounded by an expression polynomial in the size ng of B, 2”® for the length of 
the stem and 2(2”8°) for the length of the period. 

We conclude from the above that the runtime of the algorithm of Fig. 2 is at 
most |Z|- n} 2005), 


7 Implementation and Experiments 


We implemented the FORQ-based algorithm of Fig. 2 instantiated by the struc- 
tural FORQ in a tool called FORKLIFT [2]. In this section, we provide algorithmic 
details about FORKLIFT and then analyze how it behaves in practice (Sect. 7.1). 
Data Structures. Comparing two words given a structural FORQ requires to 
compute the corresponding sets of target for stems (Tgt), and sets of context 
for periods (Cxt). A naïve implementation would be to compute Tgt and Cxt 
every time a comparison is needed. We avoid to compute this information over 
and over again by storing each stem together with its Tgt set and each period 
together with its Cxt set. 

Moreover, the function Rcat inserts new words in the input vector by con- 
catenating a letter on the right to some words already in the vector. In our 
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implementation, we do not recompute the associated set of targets nor context 
for the newly computed word from scratch. For all stem u € X* and all letter 
a € X, the set of states Tgt(ua) can be computed from Tgt(u) thanks to the 
following equality essentially stating that Tgt() can be computed inductively: 


Tgt(ua) = {q E€ Q |q € Tgt(u), B: q'aq}. 


Analogously, for all period v € X*+, all X C Q and all a € X, the set of contexts 
Cxt(X, va) can be computed from Cxt(X, v) thanks to the following equality: 


qo, q, k') € Cxt(X, v), B: qd a, 


( 
cxt(X,ua) = f (a04) EQ? x ELT) | (k= LvVk'=TVB:q a pq) 


Intuitively Cxt can be computed inductively as we did for Tgt. The first part 
of the condition defines how new context are obtained by appending a transi- 
tion to the right of an existing context while the second part defines the bit of 
information keeping record of whether an accepting state was visited. 


Bases, Frontier and Membership Test. We stated in Remark 11 that the 
correctness of the FORQ-based algorithm is preserved when removing, from the 
computed sets, zero or more subsumed words for the corresponding ordering. 
In FORKLIFT, we remove all the subsumed words from all the sets we compute 
which, intuitively, means each computed set is a basis that contains as few words 
as possible. To remove subsumed words we leverage the target or context sets 
kept along with the words. It is worth pointing out that the least fixpoint com- 
putations at lines 4, 5, and 10 are implemented using a frontier. Finally, the 
ultimately periodic word membership procedure is implemented as a classical 
depth-first search as described in textbooks [17, Chapter 13.1.1]. 


Technical Details. FORKLIFT, a naïve prototype implemented by a single per- 
son over several weeks, implements the algorithm of Fig. 2 with the structural 
FORQ in less than 1000 lines of Java code. One of the design goals of our tool 
was to have simple code that could be easily integrated in other tools. Therefore, 
our implementation relies solely on a few standard packages from the Java SE 
Platform (notably collections such as HashSet or HashMap). 


7.1 Experimental Evaluation 


Benchmarks. Our evaluation uses benchmarks stemming from various appli- 
cation domains including benchmarks from theorem proving, software verifi- 
cation, and from previous work on the w-regular language inclusion problem. 
In this section, a benchmark means an ordered pair of BAs such that the 
“left” / “right” BAs refer, resp., to the automata on the left/right of the inclu- 
sion sign. The BAs of the Pecan [31] benchmarks encode sets of solutions of 
predicates, hence a logical implication between predicates reduces to a language 
inclusion problem between BAs. The benchmarks correspond to theorems of type 
Yx, Jy, P(x) = > Q(y) about Sturmian words [21]. We collected 60 benchmarks 
from Pecan for which inclusion holds, where the BAs have alphabets of up to 
256 symbols and have up to 21395 states. 
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The second collection of benchmarks stems from software verification. The 
Ultimate Automizer (UA) [19,20] benchmarks encode termination problems for 
programs where the left BA models a program and the right BA its termination 
proof. Overall, we collected 600 benchmarks from UA for which inclusion holds 
for all but one benchmark. The BAs have alphabets of up to 13173 symbols and 
are as large as 6972 states. 

The RABIT benchmarks are BAs modeling mutual exclusion algorithms [8], 
where in each benchmark one BA is the result of translating a set of guarded 
commands defining the protocol while the other BA translates a modified set of 
guarded commands, typically obtained by randomly weakening or strengthening 
one guard. The resulting BAs are on a binary alphabet and are as large as 7963 
states. Inclusion holds for 9 out of the 14 benchmarks. 

All the benchmarks are publicly available on GitHub [12]. We used all the 
benchmarks we collected, that is, we discarded no benchmarks. 


Tools. We compared FORKLIFT with the following tools: SPOT 2.10.3, GOAL 
(20200822), RABIT 2.5.0, ROLL 1.0, and BAIT 0.1. 


SPOT [15,16] decides inclusion problems by complementing the “right” BA 
via determinization to parity automata with some additional optimizations 
including simulation-based optimizations. It is invoked through the command 
line tool autfilt with the option --included-in. It is worth pointing out 
that SPOT works with symbolic alphabets where symbols are encoded using 
Boolean propositions, and sets of symbols are represented and processed using 
OBDDs. SPOT is written in C++ and its code is publicly available [6]. 

GOAL [34] contains several language inclusion checkers available with multiple 
options. We used the Piterman algorithm using the options containment 
-m piterman with and without the additional options -sim -pre. In our 
plots GOAL is the invocation with the additional options -sim -pre which 
compute and use simulation relations to further improve performance while 
GOAL” is the one without the additional options. Inclusion is checked by 
constructing on-the-fly the intersection of the “left” BA and the complement 
of the “right” BA which is itself built on-the-fly by the Piterman construction 
[32]. The Piterman check was deemed the “best effort” (cf. [10, Section 9.1] 
and [33]) among the inclusion checkers provided in GOAL. GOAL is written 
in Java and the source code of the release we used is not publicly available [3]. 

RABIT [10] performs the following operations to check inclusion: (1) Remoy- 
ing dead states and minimizing the automata with simulation-based tech- 
niques, thus yielding a smaller instance; (2) Witnessing inclusion by sim- 
ulation already during the minimization phase; (3) Using a Ramsey-based 
method with antichain heuristics to witness inclusion or non-inclusion. The 
antichain heuristics of Step (3) uses a unique quasiorder leveraging simulation 
relations to discard candidate counterexamples. In our experiments we ran 
RABIT with options -fast -jf which RABIT states as providing the “best 
performance”. RABIT is written in Java and is publicly available [4]. 

ROLL [24,25] contains an inclusion checker that does a preprocessing analogous 
to that of RABIT and then relies on automata learning and word sampling 
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techniques to decide inclusion. ROLL is written in Java and is publicly avail- 
able [5]. 

BAIT [13] which shares authors with the authors of the present paper, imple- 
ments a Ramsey-based algorithm with the antichain heuristics where two 
quasiorders (one for the stems and the other for the periods) are used to 
discard candidate counterexamples as described in Sect. 1. BAIT is written 
in Java and is publicly available [1]. 


As far as we can tell all the above implementations, including FORKLIFT, 
are sequential except for RABIT which, using the -jf option, performs some 
computations in a separate thread. 


Experimental Setup. We ran our experiments on a server with 24 GB of RAM, 
2 Xeon E5640 2.6 GHz CPUs and Debian Stretch 64-bit. We used openJDK 
11.0.12 2021-07-20 when compiling Java code and ran the JVM with default 
options. For RABIT, BAIT and FORKLIFT the execution time is computed 
using timers internal to their implementations. For ROLL, GOAL and SPOT 
the execution time is given by the “real” value of the time(1) command. We 
preprocessed the benchmarks passed to FORKLIFT and BAIT with a reduction 
of the set of final states of the “left” BA that does not alter the language it 
recognizes. This preprocessing aims to minimize the number of iterations of the 
loop at line 6 of Fig.2 over the set of final states. It is carried out by GOAL 
using the acc -min command. Internally, GOAL uses a polynomial time algo- 
rithm that relies on computing strongly connected components. The time taken 
by this preprocessing is negligible. 


Plots. We use survival plots for displaying our experimental results in Fig. 3. 
Let us recall how to obtain them for a family of benchmarks {p; }?_,: (1) run the 
tool on each benchmark p; and store its runtime t;; (2) sort the ¢;’s in increasing 
order and discard pairs corresponding to abnormal program termination like 
time out or memory out; (3) plot the points (t1, 1), (tı +t2, 2),..., and in general 
ie ti, k); (4) repeat for each tool under evaluation. 

Survival plots are effective at comparing how tools scale up on benchmarks: 
the further right and the flatter a plot goes, the better the tool thereof scales 
up. Also the closer to the x-axis a plot is, the less time the tool needs to solve 
the benchmarks. 


Analysis. It is clear from Fig. 3a and 3b that FORKLIFT scales up best on both 
the Pecan and UA benchmarks. FORKLIFT’s scalability is particularly evident 
on the PECAN benchmarks of Fig.3a where its curve is the flattest and no 
other tool finishes on all benchmarks. Note that, in Fig. 3b, the plot for SPOT is 
missing because we did not succeed into translating the UA benchmarks in the 
input format of SPOT. On the UA benchmarks, FORKLIFT, BAIT and GOAL 
scale up well and we expect SPOT to scale up at least equally well. On the other 
hand, RABIT and ROLL scaled up poorly on these benchmarks. 

On the RABIT benchmarks at Fig. 3c both FORKLIFT and SPOT terminate 
13 out of 14 times; BAIT terminates 9 out of 14 times; and GOAL, ROLL and 
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[Benchmarks from Pecan] 


T 7 T 5108 
= GOAL + GOAL- | 
——RABIT BAIT 
—— SPOT -@ FORKLIFT A 

F |—— ROLL E ki 


10° 


4 10° 


Tot 


10% 


41 43 52 54 57 58 59 60 


# instances 


[Benchmarks from Ultimate Automizer] 
—— 


=+ GOAL- ~~ GOAL 
— RABIT =- BAIT 410° 
—— ROLL —® FORKLIFT 


# instances 


[Benchmarks from RABIT] 


T T 3 108 


—— RABIT —+ GOAL —ẹ— GOAL 
—— SPOT + BAIT —+ ROLL E 
F | -@- ForkurT 107 


# instances 
[Benchmarks from RABIT (reduced)] 
5 108 
= RABIT ——GOAL-—@ GOAL 
[ |—— SPOT -m BAIT —— ROLL it 
E |e Forkurr 
L- FSU 


# instances 


Fig. 3. Survival plot with a logarithmic y axis and linear x axis. Each benchmark has 
a timeout value of 12h. Parts of the plots left out for clarity. A point is plotted for 
abscissa value x and tool r iff r returns with an answer for x benchmarks. All the 
failures of BAIT and the one of FORKLIFT are memory out. 
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RABIT terminate all the times. We claim that the RABIT benchmarks can all 
be solved efficiently by leveraging simulation relations which FORKLIFT does 
not use let alone compute. Next, we justify this claim. First observe at Fig. 3c 
how GOAL is doing noticeably better than GOAL- while we have the opposite 
situation for the Pecan benchmarks Fig. 3a and no noticeable difference for the 
UA benchmarks Fig.3b. Furthermore observe how ROLL and RABIT, which 
both leverage simulation relations in one way or another, scale up well on the 
RABIT benchmarks but scale up poorly on the PECAN and UA benchmarks. 

The reduced RABIT benchmarks at Fig. 3d are obtained by pre-processing 
every BA of every RABIT benchmark with the simulation-based reduction oper- 
ation of SPOT given by autfilt --high --ba. This preprocessing reduces the 
state space of the BAs by more than 90% in some cases. The reduction signifi- 
cantly improves how FORKLIFT scales up (it now terminates on all benchmarks) 
while it has less impact on RABIT, ROLL and SPOT which, as we said above, 
already leverage simulation relation internally. It is also worth noting that GOAL 
has a regression (from 14/14 before the reduction to 13/14). 

Overall FORKLIFT, even though it is a prototype implementation, is the tool 
that returns most often (673/674). Its unique failure disappears after a prepro- 
cessing using simulation relations of the two BAs. The FORKLIFT curve for the 
Pecan benchmarks shows FORKLIFT scales up best. 

Our conclusion from the empirical evaluation is that, in practice FORKLIFT 
is competitive compared to the state-of-the-art in terms of scalability. Moreover 
the behavior of the FORQ-based algorithm in practice is far from its worst case 
exponential runtime. 


8 Discussions 


This section provides information that we consider of interest although not essen- 
tial for the correctness of our algorithm or its evaluation. 


Origin of FORQs. Our definition of FORQ and their suitability property (in 
particular the language preservation) are directly inspired from the definitions 
related to families of right congruences introduced by Maler and Staiger in 
1993 [28] (revised in 2008 [30]). We now explain how our definition of FORQs 
generalizes and relaxes previous definitions [30, Definitions 5 and 6]. 

First we explain why the FORQ constraint does not appear in the setting 
of families of right congruences. In the context of congruences, relations are 
symmetric and thus, the FORQ constraint reduces to u S w > Sy = Su. 
Therefore the FORQ constraint trivially holds if the set {<u }uc s» is quotiented 
by the congruence relation <, which is the case in the definition [29, Definition 5]. 

Second, we point that the condition v <,, v’ > uv < uv’ which appears in the 
definition for right families of congruences [30, Definition 5] is not needed in our 
setting. Nevertheless, this condition enables an improvement of the FORQ-based 
algorithm that we describe next. 
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Less Membership Queries. We put forward a property of structural FORQs 
allowing us to reduce the number of membership queries performed by FORK- 
LIFT. Hereafter, we refer to the picky constraint as the property of a FORQ 
stating v <,, v’ > uv < uv’ where u,v, v’ € X*. We first show how thanks to the 
picky constraint we can reduce the number of candidate counterexamples in the 
FORQ-based algorithm and then, we show that every structural FORQ satisfies 
the picky constraint. 

In the algorithm of Fig. 2, periods are taken in a basis for the ordering w 
where w € X* belongs to a finite basis for the ordering <~!. The only restriction 
on w is that of being comparable to the stem u, as ensured by the test at line 
12. The following lemma formalizes the fact that we could consider a stronger 
restriction. 


Lemma 12. Let < be a quasiorder over X* such that <~+ is a right-monotonic 
well-quasiorder. Let S,S’ C X* be such that B<-1(S",S) and S contains no 
two distinct comparable words. For all u € X* and v € X'+ such thatu € S and 
{wv | we S} S, there exists ù € S' such that uvt < w and we) < w for some 


i,j E N\{0}. 


As in Sect. 3, we show that the equivalence (f) holds but this time for an 
alternative definition of T4 we provide next. Given a M-suitable FORQ F 4 
(S, Su}ues*), let 


Ta = {uv” | ds € Fa: u € Us, v € VX for some w € W, with u < w, wv < w} 


where for all p € P the sets Up, W, and {V,”}wes» such that B<(Up, Stem,), 
B<-ı(Wp, Stemp) and B<, (Vp, Perp) for all w € X*. Since Ta C Ta by def- 
inition, it suffices to prove the implication Ta C M = Ultima C M. Let 
uv” € Ultimy, i.e., such that there exists s € F4 for which u € Stem, and 
v € Pers, satisfying uv < u. In the context of Lemma 12, taking S = Stem, and 
S' = W, fulfills the requirements u € S and {wv | w € S} C S. We can thus 
apply the lemma and ensure the existence of some wọ € W, satisfying uvt < wo 
and wov < wo for some i, j € N \ {0}. Since uv’ € Stem, and vÍ € Per, we find 
that there exist uo € Us and vo € V."° such that uo < uv’ and vo Sw, v? thanks 
to the finite basis property. We conclude from above that vo Kw, vÍ, hence that 


wovo < wov by the picky condition, and finally that wovo < wo by Lemma 12 
and transitivity. By definition uguy € T and the proof continues as the one in 
Sect. 3 for T4. 

To summarize, if the considered FORQ fulfills the picky constraint then the 
algorithm of Fig. 2 remains correct when discarding the periods v at line 11 such 
that wv Z w. Observe that discarding one period v possibly means skipping sev- 
eral membership queries (u,v”, u,v”,...). As proved below, the picky constraint 
holds for all structural FORQs. 


Lemma 13. Let B = (Q,q1, Ag, Fg) be a BA and F £ (<8, {<Blics-) its 
structural FORQ. For all u € X* and all v,v' € St ifu <8 v' then uv <8 wi’. 
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Proof. For all q’ € Tgt(wv), there exists q E€ Q such that B: qr u, q 2, d. 
Hence (q,q', L) E€ Cxt(Tgt(u),v). In fact (q,q', 1) € Cxt(Tgt(u),v’) holds as 
well since v <8 v’. We deduce from the definition of Cxt that B: qr u, qv’, q' 


which implies q' € Tgt(uv’). Thus Tgt(wv) C Tgt(uv’), i.e., uv <8 uv’. 


We emphasize that this reduction of the number of membership queries was 
not included in our experimental evaluation since (1) the proof of correctness is 
simpler and (2) FORKLIFT already scales up well without this optimization. We 
leave for future work the precise effect of such optimization. 


Why a Basis for <~! is Computed? Taking periods in a basis for the ordering 
Kw where w € X* is picked in a basis for the ordering <~' may seem unnatural. 
In fact, the language preservation property of FORQs even suggests that an 
algorithm without computing a basis for <~! may exist. Here, we show that 
taking periods in a basis for the ordering S,, where u € X” is picked in a basis 
for the ordering < is not correct. More precisely, redefining T4 as 


Ta £ {uv® | ds € Fa: u € Us, v € VE} 


where for all p € P we have that B<(Up,Stemp) and B<,,(V,”,Perp) for all 
w € X*, leads to an incorrect algorithm because the equivalence (f) given by 
Ta C M <=> L(A) C M no longer holds as shown below in Example 14. 


Example 14. Consider the BAs given by Fig. 1. We have that L(A) ¢ L(B) and, 
in Example 3, we have argued that T4 = {e(b)”, a(a)”} contains the ultimately 
periodic a” which is a counterexample to inclusion. Recall from Example 3 and 
6 that we can set Up, = {€,a} since B<({e,a},+*), and Vi = Vi, = {b} 
since B<,({b}, V+) and B<_({b}, X+). We conclude from the above definition 
that Ta = {e(b)”,a(b)”}, hence that Ta C L(B) which contradicts (t) since 
L(A) ¢ L(B). 


9 Conclusion and Future Work 


We presented a novel approach to tackle in practice the language inclusion prob- 
lem between Biichi automata. Our antichain heuristics is driven by the notion 
of FORQs that extends the notion of family of right congruences introduced 
in the nineties by Maler and Staiger [29]. We expect the notion of FORQs to 
have impact beyond the inclusion problem, e.g. in learning [9] and complemen- 
tation [26]. A significant difference of our inclusion algorithm compared to other 
algorithms which rely on antichain heuristics, is the increased number of fixpoint 
computations that, counterintuitively, yield better scalability. Indeed our proto- 
type FORKLIFT, which implements the FORQ-based algorithm, scales up well on 
benchmarks taken from real applications in verification and theorem proving. 
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In the future we want to increase further the search pruning capabilities of 


FORQs by enhancing them with simulation relations. We also plan to study 
whether FORQs can be extended to other settings like w-visibly pushdown lan- 
guages. 
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Abstract. The magic wand -* (also called separating implication) is a 
separation logic connective commonly used to specify properties of par- 
tial data structures, for instance during iterative traversals. A footprint 
of a magic wand formula A -* B is a state that, combined with any state 
in which A holds, yields a state in which B holds. The key challenge 
of proving a magic wand (also called packaging a wand) is to find such 
a footprint. Existing package algorithms either have a high annotation 
overhead or, as we show in this paper, are unsound. 

We present a formal framework that precisely characterises a wide 
design space of possible package algorithms applicable to a large class of 
separation logics. We prove in Isabelle/HOL that our formal framework 
is sound and complete, and use it to develop a novel package algorithm 
that offers competitive automation and is sound. Moreover, we present 
a novel, restricted definition of wands and prove in Isabelle/HOL that it 
is possible to soundly combine fractions of such wands, which is not the 
case for arbitrary wands. We have implemented our techniques for the 
Viper language, and demonstrate that they are effective in practice. 


1 Introduction 


Separation logic [38] (SL hereafter) is a program logic that has been widely 
used to prove complex properties of heap-manipulating programs. The two main 
logical connectives that enable such reasoning are the separating conjunction * 
and the separating implication (more commonly known as the magic wand) —x, in 
combination with resource assertions which represent e.g. exclusive ownership of 
(and permission to access) particular heap locations. The separating conjunction 
expresses that two assertions prescribe ownership of disjoint parts of the heap, 
useful, for instance, to reason about aliasing or race conditions. More precisely, 
the assertion A x» B holds in a program state o if and only if ø can be split into 
two compatible program states 04 and og such that A and B hold in oy and og, 
respectively. In SL, heaps of program states are partial maps from locations to 
values; their domains represent heap locations exclusively owned. Two program 
states are compatible if (the domains of) their heaps are disjoint. 
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Intuitively, a magic wand A-* B can be used to express the difference between 
the heap locations that B and A provide permission to access. The magic wand 
is useful, for instance, to specify partial data structures, where B specifies the 
entire data structure and A specifies a part that is missing [33,41]. A — B holds 
in a state cw, if and only if for any program state g4 in which A holds and that 
is compatible with cw, B holds in the state obtained by combining the heaps of 
ao, and oy. Thus, if A x (A -* B) holds in a state, then so does B, analogously 
to the modus ponens inference rule in propositional logic. 

The magic wand has been shown to enable or greatly simplify proofs in many 
different cases [1,9,20,21,28,33,41,42]. For instance, Yang [42] uses the magic 
wand to prove the Schorr-Waite graph marking algorithm. Dodds et al. [20] 
employ the wand to specify synchronisation barriers for deterministic parallelism. 
Examples using magic wands to specify partial data structures include tracking 
ongoing traversals of a data structure [33,41], where the left-hand side of the 
wand specifies the part of the data structure yet to be traversed, or for specify- 
ing protocols that enforce orderly modification of data structures [21,25,28] (e.g. 
the protocol governing Java iterators). More recently, wands have been used for 
formal reasoning about borrowed references in the Rust programming language, 
which employs an ownership type system to ensure memory safety [1]. Magic 
wands concisely represent the remainder of a data structure from which a bor- 
rowed reference was taken, as well as reflecting back modifications to the part 
accessible via the reference. For example, consider a struct Point (represented by 
a SL predicate Point) with two fields x and y of type i32 (represented by the SL 
predicate i32). A Rust method that takes as input a Point p and returns a borrow 
of its field x is specified with the postcondition int32(x) * (int32(x) —* Point(p)), 
thus enabling the caller to regain ownership of the entire data structure Point(p). 

The complexity of SL proofs has given rise to a variety of automatic SL veri- 
fiers that reduce the required proof effort. Given the usefulness of magic wands, it 
is important that such verifiers also provide automatic support for wands. How- 
ever, reasoning about a magic wand requires reasoning about all states in which 
the left-hand side holds, which is challenging. It has been shown that a separa- 
tion logic even without the separating conjunction (but with the magic wand) is 
as expressive as a variant of second-order logic and, thus, undecidable [6]. 

Two different approaches [3,39] that provide partially-automated support are 
implemented in the verifiers Viper [34] and VerCors [2]. However, the approach 
implemented in VerCors [3] incurs significant annotation overhead, and the app- 
roach in Viper [39] suffers from a fundamental, previously undiscovered flaw that 
renders the approach unsound. Both approaches require user-provided package 
operations to direct the verifier’s proof search. Packaging a wand A-* B expresses 
that the verifier should prove and subsequently record A -x B. To package A — B 
the verifier must split the current state into two compatible states o’ and oy 
such that A -* B holds in cw. We call ow a footprint of the wand. After success- 
fully packaging a wand, the verifier must disallow changes to o,, to preserve the 
wand’s validity: the verifier packages the footprint into the wand. 
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The key challenge for supporting magic wands in automatic verifiers is to 
define a package algorithm that packages a wand. In VerCors’s package algo- 
rithm [3], a user must manually specify a footprint for the wand and the algo- 
rithm checks whether the wand holds in the specified footprint. This leads to a 
lot of annotation overhead. Viper’s current package algorithm [39] reduces this 
overhead significantly by automatically inferring a suitable footprint. Unfortu- 
nately, as we show in this paper, Viper’s current algorithm has a fundamental 
flaw that causes the algorithm to infer an incorrect footprint in certain cases, 
which may lead to unsound reasoning. We will explain the fundamental flaw 
in Sect. 2; it illustrates the subtlety of supporting this important connective. 


Approach and Contributions. In this paper, we present a formal foundation 
for sound package algorithms, and we implement a novel such algorithm based on 
these foundations. Our algorithm requires the same annotation overhead as the 
prior, flawed Viper algorithm, which is (to our knowledge) the most automatic 
existing approach. We introduce a formal framework expressed via a novel package 
logic that defines the design space for package algorithms. The soundness of a pack- 
age algorithm can be justified by showing that the algorithm finds a proof in our 
package logic. The design space for package algorithms is large since there are var- 
ious aspects that affect how one expresses the algorithm including (1) which foot- 
print an algorithm infers or checks (there are often multiple options, see Sect. 3), 
(2) the state model (which differs between different SL verifiers), and (3) restricted 
definitions of wands (for instance, to ensure each wand has a unique minimal foot- 
print). Our package logic deals with (1) by capturing all sound derivations for the 
same wand. To deal with (2) and (3), our logic is parametric along multiple dimen- 
sions. For instance, the state model can be any separation algebra to support dif- 
ferent SL extensions (e.g. fractional permissions [4]). 

Our logic also supports parameters to restrict the allowed footprints for 
wands in systematic ways. Such restrictions are useful, for instance, in a logic 
supporting fractional permissions. Fractional permissions permit splitting own- 
ership/resources into shared fragments which typically permit read access to 
the underlying data. However, as we show in Sect. 4, fractional parts of general 
magic wands cannot always be soundly recombined. Existing solutions for other 
connectives impose side conditions to enable sound recombinations [29], which 
are often hard to check automatically. We instead introduce a novel restriction 
of magic wands to avoid such side conditions and develop a corresponding sec- 
ond package algorithm again based on the formal framework provided by our 
package logic. We make the following contributions: 


— We formalise a package logic that can be used as a basis for a wide range 
of package algorithms (Sect.3). The logic has multiple parameters including: 
a separation algebra to model the states and a parameter to restrict the 
definition of a wand in a systematic way. We formally prove the logic sound 
and complete for any instantiation of the parameters in Isabelle/HOL [13]. 

— We develop a novel, restricted definition of a wand (Sect.4) and prove in 
Isabelle/HOL that this wand can always be recombined [14]. 


Sound Automation of Magic Wands 133 


— We implement sound package algorithms for both the standard and the 
restricted wand in the Viper verifier and justify their soundness directly via 
our package logic (Sect.5). We evaluate both algorithms on the Viper test 
suite. Our evaluation shows that (1) our algorithms perform similarly well to 
prior work and correctly reject examples where prior work is unsound, and 
(2) our restricted wand definition is expressive enough for most examples. 


Our Isabelle formalisation and the implementation of our new package algorithm 
are publicly available [13-15]. Further details are available in our accompanying 
technical report (TR hereafter) [16]. 


2 Background and Motivation 


In this section, we present the necessary background for this paper. We use 
implicit dynamic frames [40] to represent SL assertions, since both existing auto- 
matic verifiers that support wands (VerCors and Viper) are based on it. There 
is a known strong correspondence between SL and implicit dynamic frames [36]. 


2.1 Implicit Dynamic Frames 


Just like SL assertions, implicit dynamic frames (IDF hereafter) assertions spec- 
ify not only value information, but also permissions to heap locations that 
are allowed to be accessed. To justify dereferencing a heap location, the cor- 
responding permission is required, ensuring memory safety. IDF assertions spec- 
ify permissions to locations and value information separately. An assertion 
acc(x.val) (an accessibility predicate) denotes permission to the heap location 
x.val, while x.val = v expresses that x.val contains value v. The separating 
conjunction in IDF enforces disjointness (formally: acts multiplicatively) with 
respect to resource assertions such as accessibility predicates; in particular, if 
acc(x.val) x acc(y.val) holds in a state, then x and y must be different (analo- 
gously to SL). 

The main difference between IDF and SL is that SL does not allow general 
heap-dependent expressions such as x.val = v or x.left.right [40] to be specified 
separately from the permissions to the heap locations they depend on. The IDF 
assertion acc(x.val)*x.val = v must be expressed in SL via the points-to assertion 
x.val > v, which also conveys exclusive permission to the location x.val. IDF 
supports heap dependent expressions within self-framing assertions: those which 
require permissions to all the heap locations on whose values they depend (e.g. 
acc(x.val) x x.val = v is self-framing but x.val = v is not) [40]. 


2.2 A Typical Example Using Magic Wands 


Figure 1 shows a variation of an example from the VerifyThis competition [22]. 
The method leftLeaf iteratively computes the leftmost leaf of a binary tree 
(package and apply operations, shown in blue, should be ignored for now). The 
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1 method leftLeaf(x: Ref) : (y: Ref) Tree(x: Ref) 4 

2 requires Tree(x) acc(x.val) +» 

3 ensures Tree(x) { acc(x.left) + acc(x.right) 
4 y =X (x.left != null > 

5 package Tree(x) -* Tree(x) Tree(x.left)) * 
6 (x.right != null => 

7 while(y.left != null) Tree(x.right) ) 
8 inv Tree(y) » (Tree(y) — Tree(x)) { 

9 y := y.left 

10 package Tree(y) — Tree(x) 

11 // { hints for package} 

12 } 

13 apply Tree(y) — Tree(x) 

14 } 


Fig. 1. The code on the left finds the leftmost leaf of a binary tree and includes speci- 
fications to prove memory safety. The predicate describing the permissions of a tree is 
defined on the right. The loop invariant uses a wand to summarise the permissions of 
the input tree excluding the tree not yet traversed. The blue operations are ghost oper- 
ations to guide the verifier; we omit those specific to predicates. The package requires 
further hints in existing approaches, see App. J of the TR [16]. (Color figure online) 


pre- and postconditions of leftLeaf are both Tree(x), which is a predicate instance 
used to specify all permissions to the fields of the tree rooted at x (the recursive 
definition of this predicate is on the right of Fig. 1). Proving this specification 
amounts to proving that leftLeaf is memory-safe and that the permissions to 
the input tree are preserved, enabling further calls on the same tree. 

The key challenge when verifying leftLeaf is specifying an appropriate loop 
invariant. The loop invariant must track the permissions to the subtree rooted at 
y that still needs to be traversed, since otherwise dereferencing y.left in the loop 
body is not allowed. Additionally, the invariant must track all of the remaining 
permissions in the input tree rooted at x (the permissions to the nodes already 
traversed and others unreachable from y), since otherwise the postcondition can- 
not be satisfied. The former can be easily expressed with Tree(y). The latter can 
be elegantly achieved with a magic wand Tree(y) -* Tree(x). This wand promises 
Tree(x) if one combines the wand with Tree(y). That is, the wand represents 
(at least) the difference between the permissions making up the two trees. Using 
SL’s modus-ponens-like inference rule (directed by the apply operation on line 13, 
explained next), one can show that the loop invariant entails the postcondition. 


2.3 Wand Ghost Operations 


Automatic SL verifiers such as GRASShopper [37], VeriFast [24], VerCors, and 
Viper generally represent permissions owned by a program state in two ways: by 
recording predicate instances (such as Tree(x) in Fig. 1) and direct permissions 
to heap locations. Magic wand instances provide a third way to represent per- 
missions and are recorded analogously. Verifiers that support them require two 
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wand-specific ghost operations, which instruct the verifiers when to prove a wand 
and when to apply a recorded wand instance using SL’s modus-ponens-like rule. 

A package ghost operation expresses that a verifier should prove a new wand 
instance in the current state and report an error if the proof attempt fails. To 
prove a new wand instance, the verifier must split the current state into two 
states o’ and oy such that the wand holds in the footprint state ow; on success, 
permissions in the footprint are effectively exchanged for the resulting magic 
wand instance. We call a procedure that selects a footprint by splitting the 
current state a package algorithm. On lines 5 and 10 of Fig. 1, new wands are 
packaged to establish and preserve the invariant, respectively. 

The apply operation applies a wand A -x B using SL’s modus-ponens-like rule 
if the verifier records a wand instance of A-* B and A holds in the current state 
(and otherwise fails), exchanging these for the assertion B. The apply operation 
is directly justified by the wand’s semantics: Combining a wand’s footprint with 
any state in which A holds is guaranteed to yield a state in which B holds. For 
the apply operation on line 13 of Fig.1, the verifier removes the applied wand 
instance and Tree(y), in exchange for the predicate instance Tree(x). 


2.4 The Footprint Inference Attempt (FIA) 


Package algorithms differ in how a footprint for the specified magic wand is 
selected. In VerCors [3], the user must manually provide the footprint and the 
algorithm checks whether the specified footprint is correct. In Viper’s current 
approach [39], a footprint is inferred. We explain and compare to the latter 
approach since it is the more automatic of the two; hereafter, we refer to its 
package algorithm as the Footprint Inference Attempt (FIA). Inferring a correct 
footprint is challenging due the complexity of the wand connective. In particular, 
we have discovered that, in certain cases, the FIA infers incorrect footprints, 
leading to unsound reasoning!. The goal of this subsection is to understand the 
FIA’s key ideas, which our solution will build on, and why it is unsound. 

In general, there may be multiple valid footprints for a magic wand A -« B. 
The FIA attempts to infer a footprint which is as close as possible to the differ- 
ence between the permissions required by B and A, taking as few permissions 
as possible while aiming for a footprint compatible with A (so that the resulting 
wand can be later applied) [39]. That is, the FIA includes only permissions in 
the footprint it infers that are specified by B and not guaranteed by A. 

For a wand A-* B, the FIA constructs an arbitrary state ø 4 that satisfies A (rep- 
resenting 74 symbolically). Then, the FIA tries to construct a state og in which B 
holds by taking permissions (and copying corresponding heap values) from o4 if 
possible and the current state otherwise. If this algorithm succeeds, the (implicit) 
inferred footprint consists of the permissions that were taken from the current state. 
The FIA constructs og by iterating over the permissions and logical constraints 
in B. For each permission, the FIA checks whether o4 owns the permission. If so, 


1 This unsoundness might not be observable in restricted logics, but it is in Viper (see 
App. B of the TR [16]) and the rich logics supported by existing verification tools. 
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the FIA adds the permission to og and removes the permission from g4. Other- 
wise, the FIA removes the permission from the current state or fails if the current 
state does not have the permission. For each logical constraint, the FIA checks that 
the constraint holds in og as constructed so far. We show an example of the FIA 
correctly packaging a wand in App. A of the TR [16]. 


Unsoundness of the FIA. We have discovered that for some wands A-* B, the 
FIA determines an incorrect footprint for the magic wand. This unsoundness can 
arise when the FIA performs a case split on the content of the arbitrary state 
oa Satisfying A. In such situations, the FIA infers a footprint for each case 
separately, making use of properties that hold in that case. For certain wands, 
this leads to different footprints being selected for each case, while none of the 
inferred footprints can be used to justify B in all cases, i.e. for all states ø 4 that 
satisfy A. As a result, the packaged wand does not hold in any of the inferred 
footprints, which can make verification unsound, as we illustrate below. 

The wand w := acc(x.f) *(x.f = yVx.f = z)-kacc(x.f) *acc(x.f.g) illustrates 
the problem. For this wand, every state g 4 satisfying the left-hand side must have 
permission to x.f. However x.f may either point to y or z. If x.f points to y in oy, 
then to justify the right-hand side’s second conjunct, the footprint must contain 
permission to y.g. Analogously, if x.f points to z in a4, then the footprint must 
contain permission to z.g. The wand’s semantics requires a footprint to justify 
the wand’s right-hand side for all states in which the left-hand side holds, and 
thus, a correct footprint must be able to justify both cases. Hence, the footprint 
must have permission to both y.g and z.g. However, the FIA’s inferred footprint 
is in effect the disjunction of these two permissions. 

Packaging the above wand w using the FIA leads to unsound reasoning. After 
the incorrect package described above in a state with permission to x.f, y.g, and z.g, 
the assertion acc (x. f)*(acc(y.g) Vacc(z.g) )*w can be proved since the FIA removes 
permission to either y.g or z.g from the current state, but not both. However, this 
assertion does not actually hold! According to the semantics of wands, w’s footprint 
must include permission to x.f or permission to both y.g and z.g, which implies 
that the assertion acc(x.f) * (acc(y.g) V acc(z.g)) * w is equivalent to false. 

The unsoundness of the FIA shows the subtlety and challenge of developing 
sound package algorithms. Algorithms that soundly infer a single footprint for all 
states in which the wand’s left-hand side holds must be more involved than the 
FIA. Ensuring their soundness requires a formal framework to construct them and 
justify their correctness. We introduce such a framework in the next section. 


3 A Logical Framework for Packaging Wands 


In this section, we present a new logical framework that defines the design space 
for (sound) package algorithms. The core of this framework is our package logic, 
which defines the space of potential algorithmic choices of a footprint for a par- 
ticular magic wand. Successfully packaging a wand in a given state is (as we will 
show) equivalent to finding a derivation in our package logic, and any actual 
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package algorithm must correspond to a proof search in our logic (if it is sound). 
In particular, we provide soundness (Theorem 1) and completeness (Theorem 2) 
results for our logic. We define a specific package algorithm with this logic at its 
foundation, inspired by the FIA package algorithm [39] (described in Sect. 2.4) 
but amending its unsoundness, resulting in (to the best of our knowledge) the 
first sound and relatively automatic package algorithm. 

All definitions and results in this section have been fully mechanised [13] in 
Isabelle/HOL. Our mechanised definitions are parametric with the underlying 
verification logic in various senses: the underlying separation algebra is a param- 
eter, the syntax of assertions is defined in a way which allows simple extension 
with different base cases and connectives, and the semantics of magic wands itself 
can be restricted if only particular kinds of footprint are desired in practice. As a 
specific example of the latter parameter, in Sect. 4 we define a novel restriction of 
magic wand footprints which guarantees better properties in combination with 
certain usages of fractional permissions; this is seamlessly supported by the gen- 
eral package logic presented here. Nonetheless, to simplify the exposition of this 
section, we will assume that any magic wand footprint satisfying the connective’s 
standard semantics is an acceptable result. 


3.1 Footprint Selection Strategies 


As we explained in Sect. 1, there is a wide design space for package algorithms; in 
particular, many potential strategies for finding a magic wand’s footprint exist 
and none is clearly optimal. Recall that a footprint is a state, and thus consists 
of permissions to certain heap locations as well as storing their corresponding 
values; for simplicity we identify a footprint by the permissions it contains. 

For example, consider the following magic wand (using fractional permissions) 
acc(x.b, 1/2) -* acc(x.b, 1/2) * (x.b = acc(x.f)). Suppose this magic wand is 
to be packaged in a state where full permissions to both x.b and x.f are held, 
and the value of x.b is currently false. Two valid potential footprints are: 


1. Full permission to x.f. This is sufficient to guarantee the right-hand side will 
hold regardless of the value that x.b has by the time the wand is applied. 

2. Half permission to x.b. By including this permission, the fact that x.b is 
currently false is also included, and thus permission to x.f is not needed. 


There is no clear reason to prefer one choice over the other: different package 
algorithms (or manual choices) might choose either. Our package logic allows 
either choice along with any of many less optimal choices, such as taking both 
permissions. On the other hand, as motivated earlier in Sect. 3.1, our package 
logic must (and does) enforce that a single valid footprint is chosen for a wand 
that works for each and every potential state satisfying its left-hand side. 


3.2 Package Logic: Preliminaries 


To capture different state models and flavours of separation logic, our package 
logic is parameterised by a separation algebra. For space reasons, we present here 
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a simplified overview of this algebra, but all definitions (including our assertion 
semantics) are given in App. D of the TR [16] and have been mechanised. We 
consider a separation algebra [8,19] where X is the set of states, @: X x X LT 
is a partial operation that is commutative and associative, and e € X, which 
corresponds to the empty state, is a neutral element for 6. We write > for the 
induced partial order of the resulting partial commutative monoid, and 01702 
iff 01 Boe is defined (i.e. cı and c2 are compatible). Finally, if o2 = c1, we define 
the subtraction a2 © g; to be the ~-largest state o, such that og = 01 ® oy. 

We define our package logic for an assertion language with the following gram- 
mar: A = A*A | B>A | B, where A ranges over assertions and B over semantic 
assertions. To allow our package logic to be applied to a variety of underlying 
assertion logics, we distinguish only the two most-relevant connectives: the sepa- 
rating conjunction and an implication (for expressing conditional assertions). To 
support additional constructs of the assertion logic, the third type of assertion 
we consider is a semantic assertion, i.e. a function from X to Booleans. This 
third type can be instantiated to represent logical assertions that do not match 
the first two cases. In particular, assertions such as x.f = 5, acc(x.f), abstract 
predicates (such as Tree(x)) or magic wands can be represented as semantic 
assertions. This core assertion language can also be easily extended with native 
support for e.g. the logical conjunction and disjunction connectives; we explain 
in App. E of the TR [16] how to extend the rules of the logic accordingly. 


3.3 The Package Logic 


We define our package logic to prescribe the design space of algorithms for decid- 
ing how, in an initial state oo, to select a valid footprint (or fail) for a magic wand 
A -x B. The aim is to infer states o,, and g; that partition oo (i.e. oo = 01 ® Ow) 
such that cw is a valid footprint for A-* B (when combined with any compatible 
state satisfying A, the resulting state satisfies B). In particular, all permissions 
(and logical facts) required by the assertion B must either come from the foot- 
print or be guaranteed to be provided by any compatible state satisfying A. 

Recall from Sect. 2.4 that the mistake underlying the FIA approach ultimately 
resulted from allowing multiple different footprints to be selected conditionally on 
a state satisfying A, rather than a single footprint which works for all such states. 
Our package logic addresses this concern by defining judgements in terms of the 
set of all states satisfying A; whenever any of these tracked states is insufficient to 
provide a permission required by B, our logic will force this permission to be added 
in general to the wand’s footprint (taken from the current state). 

A witness set S is a set of pairs of states (04,08); conceptually, the first 
represents the state available for trying to prove B in addition to the current 
state; this is initially a state satisfying the wand’s left-hand side A. The second 
represents the state assembled (so-far) to attempt to satisfy the right-hand side 
B. We write S! for the set of first elements of all pairs in a witness set S. A 
context A is a pair (g, S) of a state and a witness set; here, ø represents the (as- 
yet unused remainder of the) current state in which the wand is being packaged. 
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The basic idea behind a derivation in our logic is to show how to assemble 
a witness set in which all second elements are states satisfying B, via some 
combinations of: (1) moving a part of the first element of a pair in the witness set 
into the second, and (2) moving a part of the outer state o into all first elements 
of the pairs (this becomes a part of the wand’s footprint). The actual judgements 
of the logic are a little more complex, to correctly record any hypotheses (called 
path-conditions) that result from deconstructing conditional assertions in B. 


Configurations and Reductions. A configuration represents a current objec- 
tive in our package logic: the part of the wand’s right-hand side still to be satisfied 
as well as the current state of a footprint computation. A configuration is a triple 
(B, pc, (o,S)), where B is an assertion, pc is a path condition (a function from 
X to Booleans), and (a, S) is a context. Conceptually, B is the assertion still to 
be satisfied, pc represents hypotheses we are currently working under, and the 
context (o, S) tracks the current state and witness set, as described above. 

A reduction is a judgement (B, pc, (00, 50)) ~ (01,51), representing the 
achievement of the objective described via the configuration on the left, resulting in 
the final context on the right; 7, is the new version of the outer state (and becomes 
the new current state after the package operation); whatever was removed from the 
initial outer state is implicitly the selected footprint state cw. Ifa reduction is deriv- 
able in our package logic, this footprint cw guarantees that for all (04,08) € So, 
if (o4 ® op)#ow, then 74 G Cw satisfies pc = B. The condition (a4 8 op) #ow 
ensures that the pair (o4, op) actually corresponds to a state in which the wand 
can be applied given the chosen footprint Cw, as we explain later. The package logic 
defines the steps an algorithm may take to achieve this goal. 

We represent packaging a wand A -* B in state oo by the derivation of a 
reduction (B, Ao. T, (00, {(04,e€) | oa = A})) ~ (01, S1), for some state cı and 
witness set Sı. The path condition is initially true (we are not yet under any 
hypotheses). The initial witness set contains all pairs of a state o4 that satisfies 
A and the empty state e, to which a successful reduction will add permissions 
in order to satisfy B?. An actual algorithm need not explicitly compute this 
(possibly infinite) set, but can instead track it symbolically. If the algorithm 
finds a derivation of this reduction, it has proven that the difference between oo 
and g; is a valid footprint of the wand A — B, since the logic is sound (Theorem 1 
below). 


Rules. Figure 2 presents the four rules of our logic, defining (via derivable reduc- 
tions) how a configuration can be reduced to a context. There is a rule for each 
type of assertion B: Implication for an implication, Star for a separating conjunc- 
tion, and Atom for a semantic assertion. The logic also includes the rule Extract, 
which represents a choice to extract permissions from the outer state and adds 


? If B is intuitionistic, this can be simplified to only the +-minimal states that satisfy 
A. B is intuitionistic [38] iff, if B holds in a state ø, then B holds in any state o’ 
such that o’ > ø. In intuitionistic SL or in IDF, all assertions are intuitionistic. 
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(A1, pe, Ao) a Ai 
Implication (A2, pc, A1) ~ Ae 
(Ai * A2, pc, Ao) re A2 


(A, àc. pe(a) A b(o), A) ~ A’ 
(b > A, pc, A) ~ A’ 


Star 


V(oa,oB) € S.pc(oa) => oa & choice(oa, og) A B(choice(oa,oB)) 
St = {(o4 © choice(oa,oB),o0B © choice(oa,oB))|(o4,08) E€ SA pc(oa)} 
Sı = {(04,0B)|(o4a,0B) E€ S A 7pc(oa)} 

(B, pe, (a, S)) ~ (0, St U S1) 


Atom 


Oo = 01 ® Ow stable(ow) (A, pe, (01, S1)) ~ A 
Sı = {(04 © Ow, 08)|(04, 0B) E So A (oa DOB) HOw} 
(A, pc, (G0, S0)) ~> A 


Extract 


Fig. 2. Rules of the package logic. 


them to all pairs of states in the witness set. In the following, we informally write 
reducing an assertion to refer to the process of deriving (in the logic) that the 
relevant configuration containing this assertion reduces to some context. 

To reduce an implication 6 => A, the rule Implication conjoins the hypothesis 
B with the previous path condition, leaving A to be reduced. Informally, this 
expresses that satisfying pc > (b > A) is equivalent to satisfying (pc A^ b) > A. 

For a separating conjunction A; * Ag, the Star rule expresses that both A, 
and A» must be reduced, in order to reduce A; x Ag; permissions used in the 
reduction of the first conjunct must not be used again, which is reflected by the 
threading-through of the intermediate context 41.3 

The Atom rule specifies how to prove that all states in St (where S is the wit- 
ness set) satisfy the assertion pc = B. To understand the premises, consider a pair 
(o4,0B8) € S. Ifo, does not satisfy the path condition, i.e. spc(a 4), then o4 does 
not have to justify B, and thus the pair (a4, oz) is left unchanged; this case cor- 
responds to the set S1. Conversely, if ø 4 satisfies the path condition, i.e. pc(a), 
then o4 must satisfy 6, and the corresponding permissions must be transferred 
from g4 to og. Since some assertions may be satisfied in different ways, such as dis- 
junctions, the algorithm has a choice in how to satisfy B, which might be different 
for each pair (04,08). This choice is represented by choice(o4,08), which must 
satisfy 6B and be smaller or equal to 74. We update the witness set by transferring 
choice(o,4,og) from c4 to og. This second case corresponds to the set St. Note 
that the Atom rule can be applied only if ø 4 satisfies B, for all pairs (04,08) E€ S 
such that pc(o 4). If not, a package algorithm must either first extract more per- 
missions from the outer state with the Extract rule, or fail. 

The Extract rule (applicable at any step of a derivation), expresses that we 
can extract permissions (the state’ cw) from the outer state oo, and combine 


3 The order in the premises is unimportant since A, * Ao and A» * Aj are equivalent. 
4 We explain formally in App. D of the TR [16] the notion of a stable state, which is 
a technicality of our general state model; in standard SL, all states are stable. 
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them with the first element of each pair of states in the witness set. Note that 
(74,08) is removed from the witness set if 74 og is not compatible with cw. In 
such cases, adding o,, to o4 would create a pair in the witness set representing 
a state in which the wand cannot be applied. Consequently, there is no need to 
establish the right-hand side of the wand for this pair and our logic correspond- 
ingly removes it. Finally, the rule requires that we reduce the assertion A in the 
new context. 

A package algorithm’s strategy is mostly reflected by how it uses the Extract 
tule. To package acc(x.b, 1/2) œ acc(x.b, 1/2) * (x.b = acc(x.f)) from Sect. 3.1 
one algorithm might use this rule to extract permission to x.f; another might 
use it to extract permission to x.b (if x.b had value false in the original state). 


Example of a Derivation. Let us now illustrate how these rules can be used 
to package the wand from Sect. 3.1, w := acc(x.f)*(x.f = yVx.f = z)-*acc(x. f) * 
acc(x.f.g). We omit the path condition since it is always the trivial condition 
(Ao. T). Assume that the outer state oo is the addition of cyz, a state that 
contains permission to y.g and z.g, and oj. So := {(04,e) | oa E VAoa E 
acc(x.f) * (x.f = y Vx.f = z)} is the initial witness set. We show below a part 
of a proof that (acc(x.f) * acc(x.f.g), (00, 50)) ~ (01,53) is correct, and thus 
that oy, is a correct footprint of the wand w (since oo = 01 © Gyz): 


Atom 


(x.f.9), (01, S2)) ~ (01, 8: 
Are (acc(x. f.g), (01, 52)) ~ (a1, 93) Extract 
(ace(x.f), (00, S0)) ~ (a0, S1) (ace(x.#.g), (a0, 51)) ~> (01, 93) St 

ar 


(ace(x.f) * acc(x.f.g), (00, S0)) ~ (01, S3) 


This derivation, which reflects the package algorithm that we will describe 
in Sect.3.5, can be read from bottom to top and from left to right. Using the 
tule Star, we split the assertion into its two conjuncts, acc(x.f) (on the left) and 
acc(x.f.g) (on the right). We then handle acc(x.f) using the rule Atom. acc(x.f) 
holds in the first element of each pair of So, since any state that satisfies the 
wand’s left-hand side owns x.f. Therefore, we use the rule Atom with a choice 
function that always chooses the relevant state with exactly full permission to x. f. 
Sı is the updated witness set where this permission to x.f has been transferred 
from the first to the second element of each pair of states. Next, we handle 
acc(x.f.g). We cannot do this directly using the rule Atom from S1. We know 
that, for each (04,08) € Si, x.f.g evaluated in g4 is either y or z, but 04 owns 
neither y.g nor z.g. So, we transfer the permissions to both y.g and z.g from 
the outer state co to all states of S1, using the rule Extract, which results in 
the context (a1, S2); | represents the three other premises of the rule, namely 
00 = Oyz D 01, stable(oy,), and 5»’s definition. Finally, we apply the rule Atom 
to prove (acc(x.f.g), (71, S2)) ~ (01, $3), where the choice function chooses for 
each pair the corresponding state that contains full permission to x.f.g. 
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3.4 Soundness and Completeness 


We write F (B,pc, A) ~ A’ to express that a reduction can be derived in the 
logic. As explained above, the goal of a package algorithm is to find a derivation of 
(B,A_.T,(0,{(a4,€) | oa € Sa})) ~ (0’, S"). If it succeeds, then the difference 
between o’ and ø is a valid footprint of A = B, since our package logic is sound. 
In particular, we have proven the following soundness result in Isabelle /HOL: 


Theorem 1 Soundness. Let B be a well-formed’ assertion. If 


1. the set S4 contains all states that satisfy A. i.e. Yo4.04 = A => 04 € Sa, 
2. (B,A_.T, (0, {(o4,e) | oa E€ S4})) ~ (0', 8’), and 
3. at least one of the following conditions holds: 

(a) B is intuitionistic 

(b) For all (04,08) E€ S", oa contains no permission (i.e. 04 Doa = 0,4) 


then there exists a stable state oy s.t. o = 0’ Boy and oy is a footprint of 


A= B. 


The third premise shows that, in an intuitionistic SL or in IDF, the corre- 
spondence between a derivation in the logic and a valid footprint of a wand is 
straightforward (case (a)). However, in classical SL, one must additionally check 
that all permissions in the witness set have been consumed (case (b)). 

We have also proved in Isabelle/HOL that our package logic is complete, i.e. 
any valid footprint can be computed via a derivation in our package logic: 


Theorem 2 Completeness. Let B be a well-formed (see footnote 5) assertion. 
If ow is a stable footprint of A-« B, and o = o'® Ow, then there exists a witness 


set S' such that + (B,A_.T,(0o,{(04,e) | oa E Sa})) ~ (0', S"). 


3.5 A Sound Package Algorithm 


We now describe an automatic package algorithm that corresponds to a proof 
search strategy in our package logic, and which is thus sound. To convey the 
main ideas, consider packaging a wand of the shape A -* Bı *...* Bn. Our 
algorithm traverses the assertion B, * ...* Bn from left to right, similarly to the 
FIA approach; this traversal is justified by repeated applications of the rule Star. 
Assume at some point during this traversal that the current context is (a9, S). 
When we encounter the assertion B;, we have two possible cases: 


1. All states ø € S! satisfy B;, which means that the permissions (or values) 
required by B; are provided by the left-hand side of the wand. In this case, 
for each pair (04,08) E€ S, we transfer permissions (and the corresponding 
values) to satisfy B; from o,4 to og, using the rule Atom. Note that the 
transferred permissions might be different for each pair (04,08). This gives 
us a new witness set S’, while the outer state oo is left unchanged. We must 
then handle the next assertion B;+ı in the context (oo, S”). 


5 We formally define well-formedness in App. D of the TR [16]. Intuitively, a well-formed 
assertion roughly corresponds to a self-framing assertion as defined in Sect. 2.1. 
6 In App. Lof the TR [16], we also show how our package algorithm handles implications. 
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2. There is at least one pair (04,08) € S such that B; does not hold in o4. 
In this case, the algorithm fails if combining the permissions (and values) 
contained in the outer state with each a4 € St is not sufficient to satisfy B;. 
Otherwise, we apply the rule Extract to transfer permissions from the outer 
state go to each state a4 in S1 such that B; holds in 04. This gives us a new 
context (a4, 5’). We can now apply the first case with the context (04, 9”). 


4 Using the Logic with Combinable Wands 


Extending SL with fractional permissions [4] is well-known to be useful for rea- 
soning about heap-manipulating concurrent programs with shared state. In this 
setting, permission amounts are generalised to fractions 0 < p < 1. Reading a 
heap location is permitted if p > 0, and writing if p = 1, which permits con- 
current reads and ensures exclusive writes. The assertion acc(x.f, p) holds in a 
state that has at least p permission to x.f. A permission amount p+ q to a heap 
location x.f can be split into a permission amount p and a permission amount q, 
i.e. acc(x.f, p + q) = acc(x.f, p) * acc(x.f, q), and these two permissions can 
be recombined, i.e. acc(x.f, p) x acc(x.f, q) = acc(x.f, p + q). 

This concept has been generalised [5,7,17,23,29] to fractional assertions AP, 
representing a fraction p of A. A? holds in a state o iff there exists a state 7,4 in 
which A holds and ø is obtained from a, by multiplying all permission amounts 
held by p [7,29]; in this case, we write ø = p- øa. For example, acc(x.f)? = 
acc(x.f, p), and Tree(x)? (where Tree is the predicate defined in Fig. 1) expresses 
p permission to all nodes of the tree rooted in x. 

Using fractional assertions, one might specify a function find, which searches 

a binary tree and yields a subtree whose root contains key key, as follows [7]: 
{ Tree(x)? } find(x, key) { Aret. (Tree(ret) x (Tree(ret) — Tree(x)))? }, in which 
ret corresponds to the return value of find. This postcondition is similar to 
the loop invariant in Fig.1, except that it needs only a fraction p of Tree(x). A 
number of automatic SL verifiers, such as Caper [18], Chalice [31], VerCors [2], 
VeriFast [24], and Viper [34], support fractional assertions in some form. 


Combinable Assertions. While it is always possible to split an assertion A?T? 
into A? x A1, recombining A? * A1 into AP™4 is sound only under some conditions, 
for example [29] if A is precise (in the usual SL sense [38]). We say that A 
is combinable iff the entailment A? x A1 / A?*4 holds for any two positive 
fractions p and q such that p+ q < 1. As an example, acc(x.f) is combinable, 
but acc(x.f) V acc(x.g) is not because a state containing half permission to both 
x.f and x.g satisfies (acc(x.f) V acc(x.g))°° * (acc(x.f) V acc(x.g))™5, but not 
acc(x.f)Vacc(x.g). Combinable assertions are particularly useful to reason about 
concurrent programs, for instance, to combine the postconditions of parallel 
branches when they terminate [7]. 

However, a magic wand is in general not combinable, as we show below. This 
is problematic for SL verifiers; they cannot soundly combine wands, nor pred- 
icates that could possibly contain wands in their bodies. One way to prevent 
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the latter is to forbid magic wands in predicate bodies entirely, but this limits 
the common usage of predicates to abstract over general assertions in specifi- 
cations [35]. Another solution is to disallow combining fractional instances of a 
predicate if its body contains a wand, which means requiring additional annota- 
tions to “taint” such predicates transitively. This is overly restrictive for wands 
which are actually combinable and complicates reasoning about abstract predi- 
cate families [35]. 

To address this issue, we propose a novel restriction of the wand, called 
combinable wand (we use standard wand to refer to the usual, unrestricted con- 
nective). Unlike standard wands in general, a combinable wand is always combin- 
able if its right-hand side is combinable. Thus, by only using combinable wands 
instead of standard wands, all assertions in logics such as those employed by Ver- 
Cors and Viper can be made combinable without any of the other aforementioned 
restrictions regarding predicates. Section 5 shows that the restriction combinable 
wands impose is sufficiently weak for practical purposes. Finally, footprints of 
combinable wands can be automatically inferred by package algorithms built on 
our package logic. All results in this section have been proven in Isabelle/HOL. 


Standard Wands are Not Combinable in General. Even if B is combin- 
able, the standard wand A -* B is, in general, not. As an example, the wand 
w i= acc(x.f, 1/2) = acc(x.g) is not combinable, because w5 x w®™5 p+ w. To 
see this, consider two states of and o,, containing full permissions to only x.f 
and x.g, respectively. Both states are valid footprints of w, i.e. af H} w (because 
of is incompatible with all states that satisfy the left-hand side) and og = w 
(because cy entails the right-hand side). Thus, by definition, 0.5- op = w®° and 
0.5 - og H w3. However, 0.5-o7 60.5+ og, i.e. a state with half permission to 
both x.f and x.g, is not a valid footprint of w, and thus w®5 « w®? þ w. 

Intuitively, w is not combinable because one of its footprints, øf, is incom- 
patible with the left-hand side of the wand, but becomes compatible when the 
footprint is scaled down to a fraction. After scaling, the wand no longer holds 
trivially, and the footprint does not necessarily establish the right-hand side. 

To make this intuition more precise, we introduce the notion of scalable foot- 
prints. For a state a, we define scaled(c) to be the set of copies of o multiplied 
by any fraction 0 < a < 1, ie. scaled(c) := {a -o |0 < a < 1}. A footprint ow 
is scalable w.r.t. a state oy iff either (1) o4 is compatible with all states from 
scaled(ow), or (2) o4 is compatible with no state in scaled(o,,). A footprint 
is scalable for a wand A œ B iff it is scalable w.r.t. all states that satisfy A. 
Intuitively, this means that the footprint does not “jump” between satisfying the 
wand trivially and having to satisfy the right-hand side. In the above example, 
gg is a scalable footprint for w, but of is not. 


Making Wands Combinable. The previous paragraphs show that, even if B 
is combinable, the standard wand A — B is in general not combinable because it 
can be satisfied by non-scalable footprints. Therefore, we define a novel restricted 
interpretation for wands that forces footprints to be scalable, in the following 
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sense. The restricted interpretation of a wand accepts all scalable footprints, and 
transforms non-scalable footprints before checking whether they actually satisfy 
the wand. We call a wand with this restricted interpretation a combinable wand, 
and write A į B to differentiate it from the standard wand A — B. 

For standard wands, any state Cw is a footprint of A-* B iff, for all states o4 
that satisfy A, o4#o0y > 04 ® aw = B. We obtain the definition of combinable 
wands by replacing ow with a (possibly smaller) state R(o4, w) that is scalable 
w.r.t. oA. R(o4, Ow) is defined as o, if no state in scaled (ow) is compatible with 
any o 4; in that case, condition (2) of scalable footprints holds for R(a4, ow) w.r.t. 
oa. Otherwise, R(o4, Ow) is obtained by removing just enough permissions from 
Ow to ensure that all states in scaled(R(a4,0w)) are compatible with o4, which 
ensures that condition (1) holds for R(o4, ow) w.r.t. oA. 

To formally define R(o4,0.,), we fix a concrete separation algebra (formally 
defined in App. G of the TR [16]), whose states are pairs (7, h) of a permission 
mask 7, which maps heap locations to fractional permissions, and a partial heap 
h, which maps heap locations to values. 


Definition 1. Let (tA, hA) and (Tw, hw) be two states, and let m1}, be the per- 
mission mask such that VL. n! (D) = min(tw(l),1 — ma (l)). Then 


(Tw, hw) if Vo € scaled ((tw,hw)). (tA, ha) #o 


(Tl, hw) otherwise 


R((T4, hA), (Tw, hw)) = l 


The combinable wand A -*, B is then interpreted as follows: 


Ow = A ~.e B 4> (Yoa. o4 FAN on#R(C4, Ow) => 74 O R(o4, ow) = B) 


The following theorem (proved in Isabelle/HOL) shows some key properties 
of combinable wands. 


Theorem 3. Let B be an intuitionistic assertion. 


1. If B is combinable, then A -*, B is combinable. 
2. A ~. B = A = B. 
3. If A is a binary assertion, then A =. B and A ~ B are equivalent. 


Property 1 expresses that combinable wands constructed from combinable 
assertions are combinable, which enables verification methodologies underlying 
tools such as VerCors and Viper to support flexible combinations of wands and 
predicates (as motivated at the start of this section). Property 2 implies that 
Ax(A-*.B) | B, that is, combinable wands can be applied like standard wands. 
Property 3 states that combinable wands pose no restrictions if the left-hand side 
is binary, that is, if it can be expressed without fractional permissions (formally 
defined in App. G of the TR [16]). For example, the predicate Tree(x) from Fig. 1 
is binary, which implies that the wands Tree(y) >e Tree(x) and Tree(y) = Tree(x) 
are equivalent. This property is an important reason for why combinable wands 
are expressive enough for practical purposes, as we further evidence in Sect. 5. 
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Table 1. Verification results on our 56 benchmarks with the FIA, our algorithm for 
standard wands (S-Alg), and for combinable wands (C-Alg). For each algorithm, we 
report the number of correct verification results, false negatives, and false positives. 


Algorithm Expected result Incorrectly verified Spurious errors 
FIA 55 1 0 
S-Alg 51 0 5 
C-Alg 48 0 8 


Footprints of combinable wands can be automatically inferred by algorithms 
built on our package logic. We explain (along with examples) in App. H of the 
TR [16] how to lift the package logic presented in Sect. 3 to handle alternative def- 
initions of allowable footprints such as the restrictions imposed by Definition 1. 


5 Evaluation 


We have implemented package algorithms for the standard wands and combin- 
able wands in a custom branch of Viper’s [34] verification condition generator 
(VCG). Both are based on the package logic described in Sect. 3, adapted to the 
fractional permission setting. Both algorithms automate the proof search strat- 
egy outlined in Sect. 3.5. Viper’s VCG translates Viper programs to Boogie [32] 
programs. It uses a total-heap semantics of IDF [36], where Viper states include 
a heap and a permission mask (tracking fractional permission amounts). The 
heap and mask are represented in Boogie as maps; we also represent witness sets 
as Boogie maps. 

We evaluate our implementations of the package algorithms on Viper’s test 
suite and compare them to Viper’s implementation of the FIA as presented in 
Sect. 2.4. Our key findings are that our algorithms (1) enable the verification 
of almost all correct package operations. (2) correctly report package operations 
that are supposed to fail (in contrast to the FIA), and (3) have an acceptable 
performance overhead compared to the FIA. Moreover, interpreting wands as 
combinable wands as explained in Sect. 4 has only a minor effect on the results, 
but correctly rejects attempts to package a non-combinable wand. This finding 
suggests that verifiers could improve their expressiveness by allowing flexible 
combinations of wands and predicates with only a minor completeness penalty. 

For our evaluation, we considered all 85 files in the test suite for Viper’s 
VCG with at least one package operation. From these 85 files, we removed 29 
files containing features that our implementation does not yet support. 28 of 
these 29 files require proof scripts to guide the footprint inference, which are 
orthogonal to the concerns of this paper (see App. J of the TR [16] for details). 

Table 1 gives an overview of our results. These confirm that our algorithms 
for standard and combinable wands (S-Alg and C-Alg) do not produce false neg- 
atives, that is, are sound. In contrast, the FIA does verify an incorrect program 
(which is similar to the example in Sect. 2.4). While this is only a single unsound 
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example, it is worth emphasing that (a) it comes from the pre-existing test suite 
of the tool itself, (b) the unsoundness was not known of until our work, and (c) 
soundness issues in a program verifier are critical to address; we show how to 
achieve this. 

Compared with the FIA, our implementation reports a handful of false posi- 
tives (spurious errors). For S-Alg, 3 out of 5 false positives are caused by missing 
features of our implementation (such as remembering a subset of the permissions 
that are inside predicate instances when manipulating predicates); these features 
could be straightforwardly added in the future. The other 2 false positives are 
caused by S-Alg’s strategy. In one, the only potential footprint prevents the wand 
from ever being applied; although technically a false positive, it seems useful to 
reject the wand and alert the user. The other case is due to a coarse-grained 
heuristic applied by S-Alg that can be improved. 

C-Alg reports the expected result in 48 benchmarks. Importantly, it correctly 
rejects one wand that indeed does not hold as a combinable wand. 5 of the 8 
false positives are identical to those for S-Alg. In the other three benchmarks, 
the wands still do hold as combinable wands, but further extensions to C-Alg are 
required to handle them due to technical challenges regarding predicate instances. 
Once these extensions have been implemented, C-Alg will be as precise as S-Alg, 
indicating that comparable program verifiers could switch to combinable wands 
to simply enable sound, flexible combinations with predicates. 

To evaluate performance, we ran each of the three implementations 5 times 
on each of the 56 benchmarks on a Lenovo T480 with 32 GB of RAM and a i7- 
8550U 1.8 GhZ CPU, running on Windows 10. We removed the slowest and fastest 
time, and then took the mean of the remaining 3 runs. The FIA takes between 1 
and 11 seconds per benchmark. On average, S-Alg is 21% slower than the FIA. For 
46 of the 56 examples, the increase is less than 30%, and for 3 examples S-Alg is 
between a factor 2 and 3.4 slower. The overhead is most likely due to the increased 
complexity of our algorithms, which track more states explicitly and require more 
quantified axioms in the Boogie encoding. C-Alg is on average 10% slower than 
S-Alg. We consider the performance overhead of our algorithms to be acceptable, 
especially since wands occur much more frequently in our benchmarks than in aver- 
age Viper projects, as judged by existing tests and examples. More representative 
projects will, thus, incur a much smaller slow-down. 


6 Related Work 


VerCors [2] and Viper [34] are to the best of our knowledge the only automatic 
SL verifiers that support magic wands. Both employ package and apply ghost oper- 
ations. VerCors’ package algorithm requires a user to manually specify a foot- 
print whereas Viper infers footprints using the FIA, which is unsound as we show 
in Sect. 2.4. Our package algorithm is as automatic as the FIA but is sound. 

Lee and Park [30] develop a sound and complete proof system for SL including 
the magic wand. Moreover, they derive a decision procedure from their complete- 
ness proof for propositional SL. However, more expressive versions of SL (that 
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include e.g. predicates and quantifiers) are undecidable [6] and so this decision 
procedure cannot be directly applied in the logics employed by program verifiers. 

Chang et al. [11] define a shape analysis that derives magic wands A —x 
B of a restricted form (A and B cannot contain general imprecise assertions); 
our package logic does not impose such restrictions, which rule out some useful 
kinds of wands. For example, A may be a data structure with a read-only part 
expressed via existentially-quantified fractional permissions or A may contain the 
necessary permission to invoke a method, which may be an arbitrary assertion. 
In follow-up work, Chang and Rival [10] present a restricted “inductive” magic 
wand. Footprints of inductive wands are expressed via a finite unrolling of an 
inductive predicate defining B until the permissions in A are revealed. Such 
wands are useful to reason about data structures with back-pointers such as 
doubly-linked lists. 

Iris [26] provides a custom proof mode [27] for interactive SL proofs in 
Coq [12]. Separation logics expressed in Iris support wands and are more expres- 
sive than those of automatic SL verifiers at the cost of requiring more user 
guidance. Packaging a wand in the proof mode requires manually specifying a 
footprint and proving that the footprint is correct. While tactics can be used in 
principle to automate parts of this process, there are no specific tactics to infer 
footprints. 

Fractional assertions have been used in various forms [5,7,17,23,29]. Le and 
Hobor [29] allow combining two fractional assertions A? and A% only if A is 
precise in the SL sense (i.e. A describes the contents of the heaps in which 
it holds precisely). To avoid requiring A to be precise, Brotherston et al. [7] 
introduce nominal labels for assertions. If an assertion is split into two fractional 
assertions, then the same fresh label can be associated with both parts to indicate 
that they were split from the same assertion. 

Two fractional assertions with the same label can be combined. However, 
this solution has not been implemented and does not deal with packaging wands. 
Our solution also avoids requiring that an assertion is precise and allows com- 
bining assertions even if they were not split from the same assertion. Instead of 
introducing labels, we introduce a light restriction that ensures that wands are 
always combinable. As a result, assertions containing combinable wands but no 
other potentially imprecise connectives (such as disjunction) are combinable. In 
particular, all assertions employed in verifiers such as VerCors and Viper can be 
made combinable thanks to our work. 


7 Conclusion 


We presented a package logic that precisely characterises sound package algo- 
rithms for automated reasoning about magic wands. Based on this logic, we 
developed a novel package algorithm that is inspired by an existing approach, 
but is sound. Moreover, we identified a sufficient criterion for wands to be com- 
binable, such that they can be used flexibly in logics with fractional permissions, 
and presented a package algorithm for combinable wands. We implemented our 
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solutions in Viper and demonstrated their practical usefulness. The soundness 
and completeness of our package logic, as well as key properties of combinable 
wands are all proved in Isabelle/HOL. As future work, we plan to extend the 
implementation of the two package algorithms described in Sect.5 by porting 
various features of the pre-existing FIA implementation. Moreover, we will use 
our package logic to develop another algorithm for Viper’s symbolic-execution 
verifier. 
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Abstract. The determinization of a nondeterministic Büchi automaton 
(NBA) is a fundamental construction of automata theory, with appli- 
cations to probabilistic verification and reactive synthesis. The stan- 
dard determinization constructions, such as the ones based on the Safra- 
Piterman’s approach, work on the whole NBA. In this work we propose a 
divide-and-conquer determinization approach. To this end, we first clas- 
sify the strongly connected components (SCCs) of the given NBA as 
inherently weak, deterministic accepting, and nondeterministic accept- 
ing. We then present how to determinize each type of SCC independently 
from the others; this results in an easier handling of the determinization 
algorithm that takes advantage of the structure of that SCC. Once all 
SCCs have been determinized, we show how to compose them so to 
obtain the final equivalent deterministic Emerson-Lei automaton, which 
can be converted into a deterministic Rabin automaton without blow- 
up of states and transitions. We implement our algorithm in our tool 
COLA and empirically evaluate COLA with the state-of-the-art tools 
SPOT and OWL on a large set of benchmarks from the literature. The 
experimental results show that our prototype COLA outperforms SPOT 
and OWL regarding the number of states and transitions. 


1 Introduction 


Nondeterministic Biichi automata (NBAs) [6] are finite automata accepting infi- 
nite words; they are a simple and popular formalism used in model checking to 
represent reactive and non-terminating systems and their specifications, charac- 
terized by w-regular languages [2]. Due to their nondeterminism, however, there 
are situations in which NBAs are not suitable, so deterministic automata are 
required, as it happens in probabilistic verification [2] and reactive synthesis 
from logical specifications [34]. Consequently, translating NBAs into equivalent 
deterministic w-automata (that is, deterministic automata accepting the same 
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w-regular language) is a necessary operation for solving these problems. While 
there exists a direct translation from linear temporal logic (LTL) to deterministic 
w-automata [15], not all problems of interests can be formalized by LTL formulas, 
since LTL cannot express the full class of w-regular properties [42]. For instance, 
we have to use Linear Dynamic Logic (LDL) [11,41] instead of LTL to express 
the w-regular property “the train will arrive in every odd minute”. To the best 
of our knowledge, we still need to go through the determinization of NBAs for 
LDL to obtain deterministic w-automata. Therefore, NBA determinization is 
very important in verifying the whole class of w-regular properties. 

The determinization of NBAs is a fundamental problem in automata theory 
that has been actively studied for decades. For the determinization of nondeter- 
ministic automata accepting finite words, it suffices to use a subset construc- 
tion [20]. Determinization constructions for NBAs are, however, much more 
involved since the simple subset construction is not sufficient [36]. Safra [36] 
gave the first determinization construction for NBAs with the optimal complex- 
ity 20(lee”) here n is the number of states of the input NBA; Michel [30] then 
gave a lower bound n! for determinizing NBAs. Safra’s construction has been fur- 
ther optimized by Piterman [33] to O((n!)”) [38], resulting in the widely known 
Safra-Piterman’s construction. The Safra-Piterman’s construction is rather chal- 
lenging, while still being the most practical way for Biichi complementation [40]. 
Research on determinization since then either aims at developing alternative 
Safraless constructions [18,21,28] or further tightening the upper and lower 
bounds of the NBA determinization [9, 26,39,43]. 

In this paper, we focus on the practical aspects of Biichi determinization. All 
works on determinization mentioned above focus on translating NBAs to either 
deterministic Rabin or deterministic parity automata. According to [87], the 
more relaxed an acceptance condition is, the more succinct a finite automaton 
can be, regarding the number of states. In view of this, we consider the trans- 
lation of NBAs to deterministic Emerson-Lei automata (DELAs) [13,37] whose 
acceptance condition is an arbitrary Boolean combination of sets of transitions 
to be seen finitely or infinitely often, the most generic acceptance condition for 
a deterministic automaton. We consider here transition-based automata rather 
than the usual state-based automata since the former can be more succinct [12]. 

The Büchi determinization algorithms available in literature operate on the 
whole NBA structure at once, which does not scale well in practice due to the 
complex structure and the big size of the input NBA. In this work we apply a 
divide-and-conquer methodology to Büchi determinization. We propose a deter- 
minization algorithm for NBAs to DELAs based on their strongly connected 
components (SCCs) decomposition. We first classify the SCCs of the given NBA 
into three types: inherently weak, in which either all cycles do not visit accept- 
ing transitions or all must visit accepting transitions; deterministic accepting 
and nondeterministic accepting, which contain an accepting transition and are 
deterministic or nondeterministic, respectively. We show how to divide the whole 
Büchi determinization problem into the determinization for each type of SCCs 
independently, in which the determinization for an SCC takes advantage of the 
structure of that SCC. Then we show how to compose the results of the local 
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determinization for each type of SCCs, leading to the final equivalent DELA. 
An extensive experimental evaluation confirms that the divide-and-conquer app- 
roach pays off also for the determinization of the whole NBA. 


Contributions. First, we propose a divide-and-conquer determinization algo- 
rithm for NBAs, which takes advantage of the structure of different types of 
SCCs and determinizes SCCs independently. Our construction builds an equiva- 
lent DELA that can be converted into a deterministic Rabin automaton without 
blowing up states and transitions (cf. Theorem 2). To the best of our knowledge, 
we propose the first determinization algorithm that constructs a DELA from 
an NBA. Second, we show that there exists a family of NBAs for which our 
algorithm gives a DELA of size 2”+? while classical works construct a DPA of 
size at least n! (cf. Theorem 3). Third, we implement our algorithm in our tool 
COLA and evaluate it with the state-of-the-art tools SPoT [12] and OwL [23] 
on a large set of benchmarks from the literature. The experiments show that 
COLA outperforms SPOT and OWL regarding the number of states and transi- 
tions. Finally, we remark that the determinization complexity for some classes 
of NBAs can be exponentially better than the known ones (cf. Corollary 1). 


2 Preliminaries 


Let X be a given alphabet, i.e., a finite set of letters. A transition-based Emerson- 
Lei automaton can be seen as a generalization of other types of w-automata, like 
Büchi, Rabin or parity. Formally, it is defined in the HOA format [1] as follows: 


Definition 1. A nondeterministic Emerson-Lei automaton (NELA) is a tuple 
A = (Q,1,6,I%,p, Acc), where Q is a finite set of states; 1 € Q is the initial 
state; 0d CQ x X x Q is a transition relation; Ty, = {0,1,--- ,k}, where k € N, 
is a set of colors; p: 6 — 2/* is a coloring function for transitions; and Acc is 
an acceptance formula over I), given by the following grammar, where x € I): 


a := tt | ff | Fin(x) | Inf(z) |aValada. 


We remark that the colors in T% are not required to be all used in Acc. We 
call a NELA a deterministic Emerson-Lei automaton (DELA) if for each q € Q 
and a € X, there is at most one q’ E€ Q such that (q,a,q’) € 6. 

In the remainder of the paper, we consider ô also as a function 6: Q x X > 
22 such that q! € 5(q,a) whenever (q,a,q’) € 6; we also write q + q' for 


(q,a,q’) € 6 and we extend it to words u = ugu1--: Un € X* in the natural way, 
0 1 
ie, q >q =q wi qı oN gee q', where cfi] denotes the element s; of the 


sequence of elements o = s95152--- at position i. We assume without loss of 
generality that each automaton is complete, i.e., for each state q € Q and letter 
a € X, we have 6(q, a) # 0. If it is not complete, we make it complete by adding 
a fresh state q1 ¢ Q and redirecting all missing transitions to it. 

A run of A over an w-word w € X® is an infinite sequence of states p such 
that p[0] = ų, and for each i € N, (pfi], wli], pli + 1]) € ô. 
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The language L(A) of A is the set of words accepted by A, i.e., the set of words 
w E€ XY such that there exists a run p of A over w such that p(inf(p)) = Acc, 
where inf(p) = {(q,4,q') € 6 | Vi € N.Aj > i.(plj], wl], pli + 1)) = (4,4) } 
and the satisfaction relation — is defined recursively as follows: given M C Ij, 


M }tt, ME Fin(x) ifs é M, MEa,Vae ifM Haor M Kay, 
Mi ff, ME Inf(x) iffee M, MEa Aas iffM E aand M E a2. 


Intuitively, a run p over w is accepting if the set of colors (induced by p) that 
occur infinitely often in p satisfies the acceptance formula Acc. Here Fin(x) spec- 
ifies that the color x only appears for finitely many times while Inf(x) requires 
the color x to be seen infinitely often. 

The more common types of w-automata, such as Büchi, parity and Rabin can 
be treated as Emerson-Lei automata with the following acceptance formulas. 


Definition 2. A NELA A = (Q,1,ô, Ik, p, Acc) is said to be 


- a Büchi automaton (BA) if k = 0 and Acc = Inf(0). Transition with color 
0 are usually called accepting transitions. Thus, a run p is accepting if 
p(inf(p)) {0} 4 0, i.e., p takes accepting transitions infinitely often; 

- a parity automaton (PA) if k is even and Acc = VAN a Fin(2i — 1) ^ 
Inf(2c)). A run p is accepting if the minimum color in p(inf(p)) is even; 

- a Rabin automaton (RA) if k is an odd number and Acc = (Fin(0) A Inf(1)) V 
-V (Fin(k — 1) A Inf(k)). Intuitively, a run p is accepting if there exists an 
odd integer 0 < j < k such that j — 1 ¢ p(inf(p)) and j € p(inf(p)). 


When the NELA A = (Q,.,ô, Ik, p, Acc) is a nondeterministic BA (NBA), 
we just write A as (Q,1,ô, F) where F is the set of accepting transitions. We 
call a set C C Q a strongly connected component (SCC) of A if for every pair of 
states g,q’ € C, we have that q + q' for some u € X* and q! —> q for some 
v € X*, i.e., q and q’ can be reached by each other; by default, each state q € Q 
reaches itself. C is a maximal SCC if it is not a proper subset of another SCC. 
All SCCs considered in the work are maximal. We call an SCC C accepting if 
there is a transition (q,a,q') E (C x X x C)NF and nonaccepting otherwise. We 
say that an SCC C” is reachable from an SCC C if there exist q € C and qd’ € C” 
such that q —“> q’ for some u € &*. An SCC C is inherently weak if either 
every cycle going through the C-states visits at least one accepting transition 
or none of the cycles visits an accepting transition. We say that an SCC C is 
deterministic if for every state q € C and a € X, we have |ô(q,a) N C| < 1. Note 
that a state q in a deterministic SCC C can have multiple successors for a letter 
a, but at most one successor remains in C. 

Figure 1 shows an example of NBA we will use for our examples in the remain- 
der of the paper; we depict the accepting transitions with a double arrow. Clearly, 
inside each SCC, depicted as a box, each state can be reached by any other state, 
and the SCCs are maximal. The SCC {q2, q3} is inherently weak and accepting, 
since every cycle takes an accepting transition; the SCC {q6} is also inherently 
weak, but nonaccepting, since every cycle never takes an accepting transition. 
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Fig. 1. An example of NBA. 


The remaining two SCCs, i.e., {go,qi} and {q4,q5}, are not inherently weak, 
since some cycle takes accepting transitions (like the cycle qo —— qo) while oth- 
ers do not (like the cycle go a qo). Both SCCs contain an accepting transition, 
so they are accepting; the SCC {qo,qi} is clearly nondeterministic, while the 
SCC {q4, qs } is deterministic. Note that from gs we have two transitions labelled 
by b, but only the transition q5 ay q4 remains inside the SCC, while the other 
transition qs ar qe leaves the SCC, so the SCC is still deterministic. 
The following proposition is well known and is often used in prior works. 


Proposition 1. Let A be an NBA and w € X®. A run of A over w will even- 
tually stay in an SCC. Moreover, if w € L(A), every accepting run of A over w 
will eventually stay in an accepting SCC. 


Proposition 1 is the key ingredient of our algorithm: it allows us to deter- 
minize the SCCs independently as L(A) is the union of the words whose runs 
stay in each accepting SCCs. In the remainder of the paper, we first present a 
translation from an NBA A to a DELA AE based on the SCC decomposition of 
A. The obtained DELA AE in fact can be converted to a deterministic Rabin 
automaton (DRA) A® without blowing up states and transitions, i.e., we can 
just convert the coloring function and the acceptance formula of AE to DRAs. 


3 Determinization Algorithms of SCCs 


Determinizing each SCC of A independently is not straightforward since it may 
be reached from the initial state only after reading a nonempty finite word; 
moreover, there can be words of different length leading to the SCC, entering 
through different states. To keep track of the different arrivals in an SCC at 
different times, we make use of run DAGs [24], that are a means to organize the 
runs of A over a word w. In this section, we first recall the concept of run DAGs 
and then describe how to determinize SCCs with their help. 


Definition 3. Let A = (Q,v,6,F) be an NBA and w € X” be a word. The 
run DAG Gaw = (V,E) of A over w is defined as follows: the set of vertices 
V C QXN is defined as V = Ups o(Vix {1}) where Vo = {1} and Vizı = 6(Vi, w[l]) 
for every l € N; there is an edge ((q, 1), (q’,V)) € E ofl’ =141 and q’ € 6(q, wl]). 
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Intuitively, a state q at a level £ may occur in several runs and only one 
vertex is needed to represent it, i.e., the vertex (q, who is said to be on level 
L. Note that by definition, there are at most |Q] vertices on each level. An edge 
((q, 1), (q',l + 1)) is an F-edge if (q, wl], q’) € F. An infinite sequence of vertices 
y = (g0,0)(m,1)--- is called an w-branch of Ga w if qo = 4 and for each £ € N, 
we have ((qe, £, (de+1,€+1)) € E. We can observe that there is a bijection 
between the set of runs of A on w and the set of w-branches in G4». In fact, 
to a run p = qoq, ::: of A over w corresponds the w-branch ô = (qo, 0) (qi, 1)--- 
and, symmetrically, to an w-branch y = (qo,0)(qi,1)--- corresponds the run 
Y= qoqı -+ - . Thus w is accepted by A if and only if there exists an w-branch in 
GA,w that takes F-edges infinitely often. 

In the remainder of this section, we will introduce the algorithms for comput- 
ing the successors of the current states inside different types of SCCs, with the 
help of run DAGs. We fix an NBA A = (Q,0,6, F) and a word w € X”. We let 
Q = {u,---,d} and apply a total order < on Q such that q; < q; if i < j. Let 
Se C Q, LEN, be the set of states reached at the level £in the run DAG Gy; we 
assume that this sequence Sp,--- ,.S¢,--: is available as a global variable during 
the computations of every SCC where So = {1} and S41 = 6(S¢, w[4). 

When determinizing the given NBA A, we classify its SCCs into three types, 
namely inherently weak SCCs (IWCs), deterministic-accepting SCCs (DACs) 
and nondeterministic-accepting SCCs (NACs). We assume that all DACs and 
NACs are not inherently weak, otherwise they will be classified as IWCs. 

In our determinization construction, every level in G4, corresponds to a 
state in our constructed DELA AE while reading the w-word w. Let my be the 
state of AF at level £. The computation of the successor mp41 of me for the letter 
wl] will be divided into the successor computation for states in IWCs, DACs 
and NACs independently. Then the successor m4, is just the Cartesian product 
of these successors. In the remainder of this section, we present how to compute 
the successors for the states in each type of SCCs. 


3.1 Successor Computation Inside IWCs 


As we have seen, G4,w contains all runs of A over w, including those within 
DACs and NACs. Since we want to compute the successor only for IWCs, we 
focus on the states inside the IWCs and ignore other states in DACs and NACs. 
Let W be the set of states in all IWCs and WA C W be the set of states in all 
accepting IWCs. 

For the run DAG G4.w, we use a pair of sets of states (P, Og) € 2” x 2” 
to represent the set of IWC states reached in G4, at level Z. The set Pe is 
used to keep track of the states in W reached at level 2, while Og, inspired by the 
breakpoint construction used in [31], keeps only the states reached in WA, that is, 
it is used to track the runs that stay in accepting IWCs. Since by definition each 
cycle inside an accepting IWC must visit an accepting transition, for each run 
tracked by Og we do not need to remember whether we have taken an accepting 
transition: it suffices to know whether the run is still inside some accepting IWC 
or whether the run has left them. 
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We now show how to compute the sets (P, O¢) along w. For level 0, we 
simply set Pp = {4} MW and Oo = 0. For the other levels, given (Pr, Oe) at level 
L EN, the encoding (P41,Oe41) for the next level + 1 is defined as follows: 


— Perry = S41 NW, i.e., Pepi keeps track of the W-states reached at level +1; 
— if Og £9, then Oe41 = (Or, wlé]) O WA, otherwise Oe41 = Pe41 N WA. 


Intuitively, the O-set keeps track of the runs that stay in the accepting IWCs. 
So if O; # Ú, then Op,; maintains the runs remaining in some accepting IWC; 
otherwise, Og = Ú means that at level £ all runs seen so far in the accepting 
IWCs have left them, so we can just start to track the new runs that entered 
the accepting IWCs but were not tracked yet. 


On the right we show the fragment of the run DAG ¢ | geo 
GA.» for the NBA A shown in Fig. 1 and its IWCs; we have 2 9 ~ 
W = {q2, 93,96} and WA = {qo,q3}. The set P; contains all 

; ; Vv 

states q at level £; the set Og contains the underlined ones. 3 q3 q2 
As a concrete application of the construction given above, \ 4 
from P3 = {q2,q3} and O3 = 6(O2, a) N WA = {q3}, at level 4 2 de (8 
4 we get Py = {q2, q3, q6} and O4 = 6(O3, a) N WA = {q2}. a val 

It is not difficult to see that checking whether w is M 


ou 
Q 
w 
Q 
O 
Q 
N 


accepted reduces to check whether the number of empty 
O-sets is finite. We assign color 1 to the transition from 
(Pe, Oc) to (Pe+1, Ov41) via wl] if Oe = 0, otherwise we assign color 2. Lemma 1 
formalizes the relation between accepting runs staying in accepting IWCs and 
the colors we get from our construction. 


Lemma 1. (1) There exists an accepting run of A over w eventually staying in 
an accepting IWC if and only if we receive color 1 finitely many times when con- 
structing the sequence (Po, Oo) --- (Pe, Oe) --- while reading w. (2) The number 
of possible (P,O) pairs is at most 3M1. 


The proof idea is trivial: an accepting run p that stays in an accepting [WC will 
make the O-set contain p forever and we always get color 2 from some point on. 
A possible pair (P,O) can be seen as choosing a state from W, which can be 
from W\ P, PNO and P\O, respectively. It thus gives at most 3!! possibilities. 

To ease the construction for the whole NBA A, we make the above com- 
putation of successors available as a function weakSucc, which takes as input 
a pair of sets (P,O) and a letter a, and returns the successor (P’,O’) and the 
corresponding color c € {1,2} for the transition ((P, O), a, (P’,O’)). 

The construction we gave above works on all IWCs at the same time; con- 
sidering IWCs separately does not improve the resulting complexity. If there 
are two accepting IWCs with nı and nə states, respectively, then the number 
of possible (P,O) pairs for the two IWCs is 3™ and 3”, respectively. When 
combining the pairs for each IWC together, the resulting number of pairs in the 
Cartesian product is 3% x 3"2 = 3"1*"2, which is the same as considering them 
together. On the other hand, for each accepting IWC, we need to use two colors, 
so we need 2-7 colors in total for i accepting IWCs, instead of just two colors by 
operating on all IWCs together. Hence, we prefer to work on all IWCs at once. 
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3.2 Successor Computation Inside DACs 


In contrast to IWCs, we do not work on all DACs at once but we process each 
DAC separately. This is because there may be nondeterminism between DACs: a 
run in a DAC may branch into multiple runs that jump to different DACs, which 
requires us to resort to a Safra-Piterman’s construction [33,36] when considering 
all DACs at once. Working on each DAC separately, instead, allows us to take 
advantage of the internal determinism: for a given DAC D, the transition relation 
ô inside D, denoted as dp = (D x X x D) N ô, is now deterministic. 

Although every run p entering D can have only one successor in D, p may just 
leave D while new runs can enter D, which makes it difficult to check whether 
there exists an accepting run that remains trapped into D. In order to identify 
accepting runs staying in D, we identify the following two rules for distinguishing 
runs that come to D by means of unique labelling numbers: (1) the runs already 
in D have precedence over newly entering runs, thus the latter get assigned a 
higher number. In practice, the labelling keeps track of the relative order of 
entering D, thus the lower the labelling value is, the earlier the run came to D; 
(2) when two runs in D merge, we only keep the run that came to D earlier, i.e., 
the run with lower number. If two runs enter D at the same time, we let them 
enter according to the total state order x for their respective entry states. 

We use a level-labelling function gg: D > {1,--- ,2-|D|}U {co} to encode the 
set of D-states reached at level Z of the run DAG G.4..,. Here we use ge(q) = co 
to indicate that the state q € D is not reached by A at level £. 

At level 0, we set go(q) = œ for every state q € D \ {c}, and go(v) = 1 if 
u€D. Note that the SCC that ų resides in can be an IWC, a DAC or a NAC. 

For a given level-labelling function ge, we will make {q € D | ge(q) oo} = 
S N D hold, i.e., tracing correctly the set of D-states reached by A at level £; 
we denote the set ge(D) \ {00} by G(gz), so B(ge) is the set of unique labelling 
numbers at level £. By the construction given below about how to generate gv+1 
from ge on reading wl|é], we ensure that (ge) C {1,--- ,2-|D]} for all 4 € N. 

We now present how to compute the successor level-labelling function ge+1 of 
gz on letter w[é]. The states reached by A at level 4+ 1, i.e., Se119D, may come 
from two sources: some state may come from states not in D via transitions in 
ô \ dp; some other via dp from states in Se N D. In order to generate ge4i1, we 
first compute an intermediate level-labelling function gp}; as follows. 


1. To obey Rule (2), for every state q’ € ôp (Se N D, w[é]), we set 


Ge41(4') = min{ ge(q) | q E SeN DA dp(q, we) = q' }. 


That is, when two runs merge, we only keep the run with the lower labelling 
number, i.e., the run entered in D earlier. 

2. To respect Rule (1), we set g),,(q') = |D|+7 for the i-th newly entered state 
qd € ($041 N D) \ dp(SeN D, w[é]) and the states q’ are ordered by the total 
order = of the states. Since every state in dp(S¢ N D, w[é]) is on a run that 
already entered D, its labelling has already been determined by the case 1. 
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It is easy to observe that in order to compute the transition relation between 
two consecutive levels, we only need to know the labelling at the previous level. 
More precisely, we do not have to know the exact labelling numbers, since it suf- 
fices to know their relative order. Therefore, we can compress the level-labelling 
9741 tO ge+i as follows. Let ord: B(g;,,) > {1,--- ,|G(g241)|} be the function 
that maps each labelling value in 3(g/, ,) to its relative position once the values in 
B(G41) have been sorted in ascending order. For instance, if 3(g7,,) = {2,4,7}, 
then ord = {2 > 1,4 +> 2,7 ++ 3}. Then we set ge+ı(q) = ord(g),,(q)) for 
each q € $2419 D, and ge+i(q’) = co for each q’ € D \ Se41. In this way, all 
level-labelling functions gg we use are such that 6(g¢) C {1,--- ,|D]}. 

The intuition behind the use of these level-labelling functions is that, if we 
always see a labelling number hA in the intermediate level-labelling g, for all £ > k 
after some level k, we know that there is a run that eventually stays in D and is 
eventually always labelled with h. To check whether this run also visits infinitely 
many accepting transitions, we will color every transition e = (gz, w[4], ge+1). To 
decide what color to assign to e, we first identify which runs have merged with 
others or got out of D (corresponding to bad events and odd colors) and which 
runs still continue to stay in D and take an accepting transition (corresponding 
to good events and even colors). 

The bad events correspond to the discontinuation of labelling values between 
ge and g),,, defined as B(e) = G(ge) \ F(g7,,). Intuitively, if a labelling value 
k exists in the set B(e), then the run p associated with labelling k merged 
with a run with lower labelling value k’ < k, or p left the DAC D. The good 
events correspond to the occurrence of accepting transitions in some runs, whose 
labelling we collect into G(e) = { k € B(ge) | A(q, wl4,q’) € F-ge(a) = 9341) = 
k # co}. In practice, a labelling value k in G(e) indicates that we have seen 
a run with labelling k that visits an accepting transition. We then let B(e) = 
B(e) U {|D| +1} and G(e) = G(e) U {|D| + 1} where the value |D| + 1 is used to 
indicate that no bad (i.e., no run merged or left the DAC) or no good (i.e., no 
run took an accepting transition) events happened, respectively. 

In order to declare a sequence of labelling functions as accepting, we want 
the good events to happen infinitely often and bad events to happen only finitely 
often, when the runs with bad events have a labelling number lower than that 
of the runs with good events. So we assign the color c = min{2- min B(e) — 1,2- 
min G(e)} to the transition e. Since the labelling numbers are in {1,--- ,|D|}, we 
have that c € {1,--- ,2-|D| +1}. The intuition why we assign colors in this way 
is given as the proof idea of the following lemma. 


Lemma 2. (1) An accepting run of A over w eventually stays in the DAC D 
if and only if the minimal color c we receive infinitely often is even. (2) The 
number of possible labelling functions g is at most 3-|D|!. 


The proof idea is as follows: an accepting run p on the word w that stays in D 
will have stable labelling number, say k > 1, after some level since the labelling 
value cannot increase by construction and is finite. So all runs on w that have 
labelling values lower than k will not leave D: if they would leave or just merge 
with other runs, their labelling value vanishes, so ord would decrease the value 
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for p. This implies that the color we receive afterwards infinitely often is either 

1) an odd color larger than 2k, due to vanishing runs with value at least k + 1 

or simply because no bad or good events occur, or 2) an even color at most 2k, 

depending on whether there is some run with value smaller than p also taking 

accepting transitions. Thus the minimum color occurring infinitely often is even. 

The number of labelling functions g is bounded by yeh (IPl) «i! < 3- |D|!. 
The fragment of the DAG GA ae shown on the right 


is relative to the only DAC D = {q4,q5}. The value of g 4 

g/(q), ge(q) and the corresponding ord is given by the 3 a31 

mapping near each state q; as a concrete application y | 

of the construction given above, consider how to get 4 ds.ltel q,32 
g4 from gs, defined as g3(q4) = 1 and gs(q5) = œ: | 4 


since qs € ôp(S3 N D,a), according to case 1 we define 5 q4,1> 1 q5,21m2 
94(q5) = 1 because qs = ôp(q4,a) and g3(q4) = 1; 
since q4 € (S4 N D) \ dp(S3MD,a), then case 2 applies, so g4(q4) = 3. The 
function ord is ord = [1 > 1,3 — 2], thus we get ga(q4) = 2 and g4(q5) = 1. As 
bad/good sets for the transition e = g —> g4, we have B(e) = Ø U {3} while 
G(e) = {1} U {3}, so the resulting color is 2. 

Again, we make the above computation of successors available as a function 
detSucc, which takes as input the DAC D, a labelling g and a letter a, and returns 
the successor labelling g’ and the color c € {1,--- ,2-|D| +1}. 


3.3 Successor Computation Inside NACs 


The computation of the successor inside a NAC is more involved since runs 
can branch, so it is more difficult to check whether there exists an accepting 
run. To identify accepting runs, researchers usually follow the Safra-Piterman’s 
idea [33,36] to give the runs that take more accepting transitions the precedence 
over other runs that join them. We now present how to compute labelling func- 
tions encoding this idea for NACs, instead of the whole NBA. Differently to the 
previous case about DACs, the labelling functions we use here use lists of num- 
bers, instead of single numbers, to keep track of the branching, merging and new 
incoming runs. This can be seen as a generalization of the numbered brackets 
used in [35] to represent ordinary Safra-Piterman’s trees. Differently from this 
construction, in our setting the main challenge we have to consider is how to 
manage correctly the newly entering runs, which are simply not occurring in [35] 
since there the whole NBA is considered. The fact that runs can merge, instead, 
is a common aspect, while the fact that a run p leaves the current NAC can be 
treated similarly to dying out runs in [35]. Below we assume that N is a given 
NAC; we denote by ôn = (N x X x N) N ô the transition function ô inside N. 
To manage the branching and merging of runs of A over w inside a NAC, 
and to keep track of the accepting transitions taken so far, we use level-labelling 
functions as for the DAC case. For a given NAC N, the functions we use have 
lists of natural numbers as codomain; more precisely, let Ly be the set of lists 
taking value in the set {1,--- ,2-|N|}, where a list is a finite sequence of values 
in ascending order. Given two lists [v1,--+, vz] and [v},--- , vz], we say that 
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[v1,-++ , Ux] is a prefix of [vj,--- ,u,] if 1 < k < k’ and for each 1 < j < k, we 
have vj; = v}. Note that the empty list is not a prefix of any list. Given two 
lists [v1, -> , vg] and [vi, v], we denote by [vi, +- , ug]o[vy,--: Vg] their 
concatenation, that is the list [v1,--- , Uk, v1, ++ , V|. Moreover, we define a total 
order on lists as follows: given two lists [vi,--- , vg] and [vj,--- , vj], we order 
them by padding the shorter of the two with oo in the rear, so to make them of 
the same length, and then by comparing them by the usual lexicographic order. 
This means, for instance, that the empty list |] is the largest list and that [1,3, 5] 
is smaller than [1,3] but larger than [1,2]. The lists help to keep track of the 
branching history from their prefixes, such as [1,2] is branched from [1]. 

As done for DACs, we use a level-labelling function tg: N — Ly to encode the 
set of N-states reached in the run DAG G4A,w at level 4. We denote by (te) the set 
of non-empty lists in the image of te, that is, G(te) = { telqa) | qe NA te(q) ¥ [] }. 
We use the empty list [] for the states in N that do not occur in the vertexes 
of GA,w at level £, so (te) contains only lists associated with states that A is 
currently located at. Similarly to the other types of SCCs, at level 0, we set 
to(e) = [1] if : € N, and to(q) = |] for each state q € N \ {ce}. 

To define the transition from te to te;1 through the letter w[¢], we use again 
an intermediate level-labelling function t, 41 that we construct step by step as 
follows. We start with t;,,(q) = [] for each q € N and with the set of unused 
numbers U={u>1]|wu ¢ G(te) }, i.e., the numbers not used in 8(te). 


1. For every state q’ € dn (SeNN, w[é]), let Py = {q € SeNN | (q, wih, 4’) € ôn } 

be the set of currently reached predecessors of q', and Cy = Q. For each q € 
Py, if (q, wļ4],q') € F, then we add tg(q)-[u] to Cy, where u = minU, and 
we remove u from U, so that each number in U is used only once; otherwise, 
for (q, w[é],q') € On \ F, we add te(q) to Cy. Lastly, we set t),,(q') = min Cy, 
where the minimum is taken according to the list order. 
Intuitively, if a run p can branch into two kinds of runs, some via accepting 
transitions and some others via nonaccepting transitions at level Z + 1, then 
we let those from nonaccepting transitions inherit the labelling from p, i.e., 
te(p[é]); for the runs taking accepting transitions we create a new labelling 
te(p[é]) >[u]. In this way, the latter get precedence over the former. Moreover, 
if a run p has received multiple labelling values, collected in Cyje+1), then it 
will keep the smallest one, by t;,,(p[@+ 1]) = min Cpje+1]- 

2. For each state q’ € ($419 N) \ ôn (Se N N, w[é]) taken according to the state 
order =, we first set t,,,(q') = [u], where u = minU, and then we remove 
u from U, so we do not reuse the same values. That is, we give the newly 
entered runs lower precedence than those already in N, by means of the larger 
list [u]. 


We now need to prune the lists in G(t),,) and recognize good and bad events. 
Similarly to DACs, a bad event means that a run has left N or has been merged 
with runs with smaller labelling, which is indicated by a discontinuation of a 
labelling between G(t¢) and G(t,,,). For the transition e = (te, w[é], te+1) we 
are constructing, to recognize bad events, we put into the set B(e) the num- 


Divide-and-Conquer Determinization of Biichi Automata 163 


ber |N| + 1 and all numbers in (te) that have disappeared in G(t;,,), that is, 
Bie) = {|N[/ +1}U {v EN | voccurs in G(t,) but not in 8(tp41) } 

Differently from the good events for DACs, which require to visit an accepting 
transition, we need all runs branched from a run to visit an accepting transition, 
which is indicated by the fact that there are no states labelled by tọ}; with 
some list 1 € G(t¢) but there are extensions of | associated with some state. To 
recognize good events, let G(e) = {|N| + 1} and t7,, be another intermediate 
labelling function. For each q’ € S41 N, consider the list t;,,(q’): if for each 
prefix [v1,--- vg] of t,,(q') we have [v1,--- vz] € G(t,,1), then we set ty, ,(q') = 
t,,,(q’). Otherwise, let [v1,--- vg] € G(t2,,) be the shortest prefix of tp ,(q’) not 
in B(t,,,); we set ty, ,(q') = [v1,--- vg] and add vz to Ge). Setting ty, ,(q') = 
[v1,--- vg] in fact corresponds, in the Safra’s construction [36], to the removal 
of all children of a node % for which the union of the states in the children is 
equal to the states in N. Lastly, similarly to the DAC case, we set te41(q) = 
ord(t?, ,(q)) for each q € Se+1 ON and te41(q') = [] for each q’ € N \ S41, where 
ord([vi,--- ,vx]) = [ord(v1),--+ ,ord(v,)]. Regarding the color to assign to the 
transition e, we just assign the color c = min{2- min G(e), 2- min B(e) — 1}. 


Lemma 3. (1) An accepting run of A over w eventually stays in the NAC N 
if and only if the minimal color c we receive infinitely often is even. (2) The 
number of possible labelling functions t is at most 2 - (|N|!)?. 


Similarly to DACs, also for NACs we have handled each NAC independently. 
The reason for this is that this potentially reduces the complexity of the sin- 
gle cases: assume that we have two NACs N; and Ng. If we apply the Safra- 
Piterman’s construction directly to N; U N2, we might incur in the worst-case 
complexity 2- ((|Ni| + |No|)!)?, as mentioned in the introduction. However, if 
we determinize them separately, then the worst complexity for each NAC N; is 
2-(N;!)?, for an overall 4 - (|Nq|!-|No|!)?, much smaller than 2- ((IN1| + |No|)!)?. 

As usual, we make the above construction available as a function nondetSucc, 
which takes as input the NAC N, a labelling t and a letter a, and returns the 
successor labelling t’ and the corresponding color c € {1,--- ,2-|N| + 1}. 

Similarly to the constructions for other SCCs, we show 
on the right the fragment of run DAG Gq for the NAC | 


N = {q0, q1}, with qo x qı. The construction of t; is easy, 0 afl 

so consider its a-successor tz: we start with U = {3,4,---}; Y 

for qo, we have P,, = {qo,q} and C,, = {[1,2,3], [1]}, 1 qo; [1,2] q, [1] 
hence (qo) = [1,2,3]. For qi, we get P,, = {qo} and Yy X 


Ca = {[1, 2]}, so t3(q1) = [1, 2]. Thus, for e = (tı, w[1], t2) 2 œH] ~E] 
we have B(e) = {3} while G(e) = {1,3}, since both lists in 

B(t) = {[1,2], [1,2,3] } are missing the prefix [1], so we get to(qo) = t2(q1) = [1] 
and color c = 2. 


4 Determinization of NBAs to DELAs 


In this section, we fix an NBA A = (Q,1,6,F) with n = |Q] states and we 
show how to construct an equivalent DELA AE = (QE, 1E, 6E, TE, pE, Acc"), 
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by using the algorithms developed in the previous section. We assume that A 
has {D1,--- ,D“} as set of DACs and {N!,--- ,N*} as set of NACs. 

When computing the successor for each type of SCCs while reading a word 
w, we just need to know the set Sp of states reached at the current level @ and the 
letter a € X to read. We can ignore the actual level Z, since if Sz = Sw, then their 
successors under the same letter will be the same. As mentioned before, every 
state of AE corresponds to a level of G4... We call a state of AE a macrostate 
and a run of AE a macrorun, to distinguish them from those of A. 


Macrostates QE. Each macrostate consists of the pair (P,O) for encoding the 
states in IWCs, a labelling function gê: D‘ > {1,--- ,|D*|} U {co} for the states 
of each DAC DŻ and a labelling function t: NI — Lys for each NAC NÍ, without 
the explicit level number. The initial macrostate ¿E of AE is the encoding of level 
0, defined as the set {( Po, Oo)}U { gi, | D’is a DAC } U{ tå | Niis a NAC }, where 
each encoding for the different types of SCCs is the one for level 0. 

We note that » must be present in one type of SCCs. In particular, if is a 
transient state, then {+} is classified as an IWC. 


Transition Function 5°. Let m be the current macrostate in QE and a € X 
be the letter to read. Then we define m’ = ôE (m, a) as follows. 


(i) For (Pm, Om) E€ m, we set (Pm’, Om) = weakSucc( (Pm, Om), a) in m’. 
(ii) For gf, € m relative to the DAC D’, we set gt, = detSucc(D’, g’,,, a) in m’. 
(iii) For tł, € m from the NAC NJ, we set t nondetSucc(N/, t?,,,a) in m’. 


am? 


me T 


Note that the set S of the current states of A used by the different successor 
functions is implicitly given by the sets P, {q € DŻ | g’(q) 4 œœ } for each DAC 
D’ and {q E€ NÍ | t?(q) # [] } for each NAC NÎ in the current macrostate m. 


Color Set JE and Coloring Function p®. From the constructions given in 
Sect.3, we have two colors from the IWCs, 2-|D*| + 1 colors for each DAC DË, 
and 2-|N?|+1 colors for each NAC N, yielding a total of at most 3-|Q| colors. 
Thus we set TE = {0,1,--- ,3-|Q|} with color 0 not being actually used. 
Regarding the color to assign to each transition, we need to ensure that the 
colors returned by the single SCCs are treated separately, so we transpose them. 
For a transition e = (m,a,m’) € ôE, we define the coloring function pE as follows. 


— If we receive color 1 for the transition ((Pm, Om), a, (Pm, Om’ )), then we put 
1 € p®(e). Intuitively, every time we see an empty O-set along reading an 
w-word w in the IWCs, we put the color 1 on the transition (m, a, m’). 

— For each DAC DŻ, we transpose its colors after the colors for the IWCs and 
the other DACs with smaller index. So we set the base number for the colors 
of the DAC D’ to be b; = 2+ Y0,-,2,(2- |D"| + 1), i.e., the number of 
colors already being used. Then, if we receive the color c for the transition 
(gin, a, gf) from detSucc, we put c+ b; € p*(e). 

— We follow the same approach for the NAC Nî: we set its base number to be 
bj =24+ Yiepey(2-|D"| +1) + DPA IN”| +1). Then, if we receive the 


color c for the transition (t/,,a, t?,,) from nondetSucc, we put c +b, € p™(e). 
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Intuitively, we make the colors returned for each SCC not overlap with those 
of other SCCs without changing their relative order. In this way, we can still 
independently check whether there exists an accepting run staying in an SCC. 


Acceptance Formula Acc™. We now define the acceptance Acc, which is basi- 
cally the disjunction of the acceptance formula for each different types of SCCs, 
after transposing them. Regarding the IWCs, we trivially define Accyy = Fin(1), 
since this is the acceptance formula for IWCs; as said before, color 0 is not used. 

For DACs and NACs, the definition is more involved. For instance, regarding 
the DAC DŻ, we know that all returned colors are inside {1,--- ,2- |D] + 1}. 
According to Lemma 2, an accepting run eventually stays in D’ if and only if 
the minimum color that we receive infinitely often is even. Thus, the acceptance 


formula for the above lemma is parity(|D*|) = Ve Fin(27 — 1) A Inf(2c)). 
Let b; = 2+)°),<;(2:|Dn| + 1) be the base number for the colors of D’, which is 
also the number of colors already used by IWCs and the DACs D” with h < i. 
Since we have added the base number bê to every color of Dt, we then have the 


acceptance formula Acchi = VEIA Fin(27 — 1 + b;) A Inf (2c + b;)). 
For each NAC Nî, the colors we receive are in {1,--- ,2 - |N’| + 1}. Let 


bj =2 + Vicncal2: |D”| + 1) + ne;(2-|N?| +1) be the base number for N’. 


Similarly to the DAC case, for each NAC N/, we let Acch; = ymi (N; Fin(2i— 
1+ bj) A Inf(2c + b;)). 

The acceptance formula for AE is Acc® = AccẸ V V$} Acc: v Via Acck;. 

Consider again the NBA A given in Fig. 1 and its various SCCs. As accep- 
tance formula for the constructed DELA, it is the disjunction of the formulas 
Acc&, = Fin(1); Acc = Vea 3 Fin(27 — 1+ 2) A Inf(2c + 2)), since the base 
number for D is 2; and Acc = V? (AG; Fin(2i — 1 +7) A Inf(2c + 7)), since 7 
is the base number for N. 

The construction given in this section is correct, as stated by Theorem 1. 


Theorem 1. Given an NBA A with n = |Q| states, let A be the DELA 
constructed by our method. Then (1) L(A®) = L(A) and (2) AE has at most 


3wI. T 3- \D"|!) (a 2- (IN?) macrostates and 3n + 1 colors. 


Obviously, if d = k = 0, A is a weak BA [32]. If k = 0, A is an elevator BA, a 
new class of BAs recently introduced in [19] which have only IWCs and DACs, 
a strict superset of semi-deterministic BAs (SDBAs) [10]. SDBAs will behave 
deterministically after seeing acceptance transitions. An elevator BA that is not 
an SDBA can be obtained from the NBA A shown in Fig. 1 by setting q2 as 
initial state and by removing all states and transitions relative to the NAC. 

It is known that the lower bound for determinizing SDBAs is n! [14,27]. 
Then the determinization complexity of weak BAs and elevator BAs can be 
easily improved exponentially as follows. 


Corollary 1. (1) Given a weak Büchi automaton A with n = |Q| states, the 
DELA constructed by our algorithm has at most 3” macrostates. (2) Given an 
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elevator Büchi automaton A with n = |Q| states, our algorithm constructs a 
DELA with O(n!) macrostates; it is asymptotically optimal. 


The upper bound for determinizing weak BAs is already known [5]. Elevator 
BAs are, to the best of our knowledge, the largest subclass of NBAs known so 
far to have determinization complexity O(n!). 

The acceptance formula for an SCC can be seen as a parity acceptance for- 
mula with colors being shifted to different ranges. A parity automaton can be 
converted into a Rabin one without blow-up of states and transitions [16]. Since 
Acc" is a disjunction of parity acceptance formulas, Theorem 2 then follows. 


Theorem 2. Let AE be the constructed DELA for the given NBA A. Then AE 
can be converted into a DRA A® without blow-up of states and transitions. 


Translation to Deterministic Parity Automata (DPAs). We note that 
there is an optimal translation from a DRA to a DPA described in [7], imple- 
mented in SPOT via the function acd_transform [8]. 


5 Empirical Evaluation 


To analyze the effectiveness of our Divide-and-Conquer determinization con- 
struction proposed in Sect.3, we implemented it in our tool COLA, which 
is built on top of Spot [12]. The source code of COLA is publicly available 
from https://github.com/liyong31/COLA. We compared COLA with the offi- 
cial versions of SPOT [12] (2.10.2) and Ow1 [23] (21.0). SPOT implements the 
algorithm described in [35], a variant of [33] for transition-based NBAs, while 
OwL implements the algorithms described in [28,29], both constructing DPAs as 
result. To make the comparison fair, we let all tools generate DPAs, so we used 
the command autfilt --deterministic --parity=min\ even -F file.hoa 
to call SPOT and owl nbadet -i file-.hoa to call OWL. Recall that we use the 
function acd_transform [8] from SPOT for obtaining DPAs from our DRAs. The 
tools above also implement optimizations for reducing the size of the output 
DPA, like simulation and state merging [29], or stutter invariance [22] (except 
for OWL); we use the default settings for all tools. We performed our experi- 
ments on a desktop machine equipped with 16GB of RAM and a 3.6 GHz Intel 
Core i7-4790 CPU. We used BENCHEXEC! [3] to trace and constrain the tools’ 
executions: we allowed each execution to use a single core and 12 GB of memory, 
and imposed a timeout of 10 min. We used SPOT to verify the results generated 
by three tools and found only outputs equivalent to the inputs. 

As benchmarks, we considered all NBAs in the HOA format [1] available 
in the AUTOMATA-BENCHMARKS repository.” We have pre-filtered them with 
autfilt to exclude all deterministic cases and to have nondeterministic BAs, 
obtaining in total 15,913 automata coming from different sources in literature. 

The artifact with tools, benchmarks, and scripts to run the experiments and 
generate the plots is available at [25]. 


1 https: //github.com/sosy-lab/benchexec/. 
? https: //github.com /ondrik/automata-benchmarks/. 
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Fig. 2. The cactus plot for the determinization of NBAs from AUTOMATA-BENCHMARKS. 
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Fig. 3. States comparison for the determinization of NBAs from AUTOMATA- 
BENCHMARKS. (Color figure online) 


In Fig. 2 we show a cactus plot reporting how many input automata have 
been determinized by each tool, over time. As we can see, COLA works better 
than SPOT, with COLA solving in total 15,903 cases and SPOT 15,862 cases, 
with OWL solving in total 15,749 cases and taking more time to solve as many 
instances as COLA and SPOT. From the plot given in Fig. 2 we see that COLA 
is already very competitive with respect to its performance. 

In Fig. 3 we show the number of states of the generated DPAs. In the plot 
we indicate with the bold dashed line the maximum number of states of the 
automata produced by either of the two tools, and we place a mark on the 
upper or right border of the plot to indicate that one tool has generated an 
automaton with that size while the other tool just failed. The color of each mark 
represents how many instances have been mapped to the corresponding point. 
As the plots show, SPOT and COLA generate automata with similar size, with 
COLA being more likely to generate smaller automata, in particular for larger 
outputs. OWL, instead, very frequently generates automata larger than COLA. 
In fact, on the 15,710 cases solved by all tools, on average COLA generated 44 
states, SPOT 65, and OwL 87. If we compare COLA with just one tool at a 
time, on the 15,854 cases solved by both COLA and SPOT, we have 125 states 
for COLA and 246 for SPOT; on the 15,749 cases solved by both COLA and 
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Fig. 4. Acceptance sets comparison for the determinization of NBAs from AUTOMATA- 
BENCHMARKS. (Color figure online) 


Table 1. Pearson correlation coefficients for the AUTOMATA-BENCHMARKS experiments. 


# input states # input SCCs average SCC size 


runtime 0.77 0.62 —0.01 
output states 0.41 0.17 0.05 


OWL, we have 45 states for COLA and 88 for OWL. A similar situation occurs 
for the number of transitions, so we omit it. 

Lastly, in Fig.4 we compare the number of acceptance sets (i.e., the colors 
in Definition 1) of the generated DPAs; more precisely, we consider the integer 
value occurring in the mandatory Acceptance: INT acceptance-cond header 
item of the HOA format [1], which can be 0 for the automata with all or none 
accepting transitions. From the plots we can see that COLA generates more 
frequently DPAs with a number of colors that is no more than the number 
used by SPOT, as indicated by the yellow/red marks on (10,394 cases) or above 
(5,495 cases) the diagonal. Only in very few cases COLA generates DPAs with 
more colors than SPOT (22 cases), as indicated by the few blue/greenish marks 
below the diagonal. Regarding OWL, however, from the plot we can clearly see 
that COLA uses almost always (15,840 cases) fewer colors than OWL; the only 
exception is for the mark at (0,0) representing 63 cases. 

The number and sizes of SCCs influence the performance of COLA, so we 
provide some statistics about the correlation between these and the runtime and 
size of the generated DPA. By combining the execution statistics with the input 
SCCs and states, we get the Pearson correlation coefficients shown in Table 1. 
Here the larger the number in a cell is, the stronger the positive correlation 
between the element that the row and the column represent. From these coef- 
ficients we can say that there is a quite strong positive correlation between the 
number of states and of SCCs and the running time, but not for the average 
SCC size; regarding the output states, the situation is similar but much weaker. 

We also considered a second set of benchmarks — 644 NBAs generated by 
SPOT’s 1t12tgba on the LTL formulas considered in [23], as available in the 
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0a D*\ {0,1} 


Fig. 5. The family of NBAs A, with X = {0,1,--- n}. 


OWLt’s repository at https://gitlab.lrz.de/i7/owl. The outcomes for these bench- 
marks are similar, but a bit better for COLA, to the ones for AUTOMATA- 
BENCHMARKS, so we do not present them in detail. 


6 Related Work 


To the best of our knowledge, our determinization construction is the first algo- 
rithm that determinizes SCCs independently while taking advantage of different 
structures of SCCs, which is the main difference between our algorithm and 
existing works. We illustrate other minor differences below. 

Different types of SCCs, like DACs and IWCs, are also taken with special 
care in [29] as in our work, modulo the handling details. However, the work [29] 
does not treat them independently as the labelling numbers in those SCCs still 
have relative order with those in other SCCs. Thus their algorithm can be expo- 
nentially worse than ours (cf. Theorem 3) and performs not as well as ours in 
practice; see the comparison with OWL in Sect. 5. The determinization algorithm 
given in [14] for SDBAs is a special case of the one presented in [35] for NBAs, 
which gives precedence to the deterministic runs seeing accepting transitions ear- 
lier, while we give precedence to runs that enter DACs earlier. More importantly, 
the algorithm from [14] does not work when there is nondeterminism between 
DACs, while our algorithm overcomes this by considering DACs separately and 
by ignoring runs going to other SCCs. 

Current works for determinization of general NBAs, such as [18,21,28,35,36, 
38] can all be interpreted as different flavours of the Safra-Piterman based algo- 
rithm. Our determinization of NACs is also based on Safra-trees and inspired 
by SPOT, except that we may have newly arriving states from other SCCs while 
other works only need to consider the successors from the current states in the 
Safra-tree. The modular approach for determinizing Biichi automata given in [17] 
builds on reduced split trees [21] and can construct the deterministic automa- 
ton with a given tree-width. The algorithm constructs the final deterministic 
automaton by running in parallel the NBA for all possible tree-widths, rather 
than working on SCCs independently as we do in this work. 
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Compared to the algorithms operating on the whole NBA, our algorithm can 
be exponentially better on the family of NBAs shown in Fig.5, as formalized 
in Theorem 3; we can encounter some variation of this family of NBAs when 
working with fairness properties. The intuition is that we take care of the DACs 
{qi}, independently, so for each of them we have only two choices: either the 
run is in the DAC, or it is not in the DAC; resulting in a single exponential num- 
ber of combinations. Existing works [14,21, 28,33,35,36] order the runs entering 
the DACs based on when they visit accepting transitions, in which every order 
corresponds to a permutation of {q1,--- , dn}. 


Theorem 3. There exists a family of NBAs An withn+2 states for which the 
algorithms in [14, 21, 28, 33, 85, 36] give a DPA with at least n! macrostates while 
ours gives a DELA with at most 2”*? macrostates. 


In practice, for each NBA An, n > 3, COLA produces a DELA/DPA with n 
macrostates, while both SPOT and OWL give a DPA with n! + 1 macrostates. 


7 Conclusion and Future Work 


We proposed a divide-and-conquer determinization construction for NBAs that 
takes advantage of the structure of different types of SCCs and determinizes them 
independently. In particular, our construction can be exponentially better than 
classical works on a family of NBAs. Experiments showed that our algorithm 
outperforms the state-of-the-art implementations regarding the number of states 
and transitions on a large set of benchmarks. To summarize, our divide-and- 
conquer determinization construction is very practical, being a good complement 
to existing theoretical approaches. 

Our divide-and-conquer approach for NBAs can also be applied to the com- 
plementation problems of NBAs. By Proposition 1, w is not accepted by A if and 
only if there are no accepting runs staying in an SCC. Thus we can construct a 
generalized Biichi automaton with a conjunction of Inf(i) as the acceptance for- 
mula to accept the complement language X® \ L(A) of A; the generalized Biichi 
automaton in fact takes the intersection of the complement language of each 
type of SCCs. For complementing IWCs, we use the same construction as deter- 
minization except that the acceptance formula will be Inf(1). For complementing 
DACs, we can borrow the idea of NCSB complementation construction [4] which 
complements SDBAs in time 4”. For complementing NACs, we just adapt the 
slice-based complementation [21] of general NBAs. We leave the details of this 
divide-and-conquer complementation construction for NBAs as future work. 
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Abstract. Spot is a C++17 library for LTL and w-automata manipula- 
tion, with command-line utilities, and Python bindings. This paper sum- 
marizes its evolution over the past six years, since the release of Spot 2.0, 
which was the first version to support w-automata with arbitrary accep- 
tance conditions, and the last version presented at a conference. Since 
then, Spot has been extended with several features such as acceptance 
transformations, alternating automata, games, LTL synthesis, and more. 
We also shed some lights on the data-structure used to store automata. 
Artifact: https://zenodo.org/record/6521395. 


1 Availability, Purpose, and Evolution 


Spot is a library for LTL and w-automata manipulation, distributed under a 
GPLv3 license. Its source code is available from https://spot.lrde.epita.fr/. We 
provide packages for some Linux distributions like Debian and Fedora, but other 
packages can also be found for Conda-Forge [17] (for Linux & Darwin), Arch 
Linux, FreeBSD... 

Spot can be used via three interfaces: a C++17 library, a set of command- 
line tools that give easy access to many features of the library, and Python 
bindings, that makes prototyping and interactive work very attractive. Our web 
site now contains many examples of how to perform some tasks using these three 
interfaces, and we have a public mailing list for questions. 

In our last tool paper [21], Spot 2.0 had just converted from being a library 
for working on Transition-based Generalized Büchi Automata and had become 
a library supporting w-automata with arbitrary Emerson-Lei [22,41] acceptance 
conditions, as enabled by the development of the HOA format [5]. 

In the HOA format, transitions can carry multiple colors, and acceptance 
conditions are expressed as a positive Boolean formulas over atoms like Fin(i) or 
Inf(i) that tell if a color should be seen finitely or infinitely often for a run to be 
accepting. Table 1 gives some examples. 
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Table 1. Acceptance formulas corresponding to classical names. 


Biichi Inf(0) 

generalized Biichi A; Inf (2) 

Fin-less [9] any positive formula of Inf(...) 

co-Biichi Fin(0) 

generalized co-Büchi V; Fin(i) 

Rabin V, (Fin(22) A Inf(2¢ + 1)) 

generalized Rabin [29] \/,(Fin(t) A Aj<,, Inf(z)) 

Streett A; (Inf (27) V Fin(2¢ + 1)) 

parity min even Inf(0) v (Fin(1) A (Inf(2) v (Fin(3) A ...))) 
parity min odd Fin(O) A (Inf(1) v (Fin(2) A (Inf(3) v ...))) 
parity max even (((Inf(O) A Fin(1)) V Inf(2)) A Fin(3)) v 
parity max odd (((Fin(0) V Inf(1)) A Fin(2)) v Inf(3)) A 


While Spot 2.0 was able to read automata with arbitrary acceptance condi- 
tions, not all of its algorithms were able to support such a generality. For instance 
testing an automaton for emptiness or finding an accepting word, would only 
work on automata with “Fin-less” acceptance conditions. For other conditions, 
Spot 2.0 would rely on a procedure called remove_fin() to convert automata 
with arbitrary acceptance conditions into “Fin-less” acceptance conditions [9]. 
This was ultimately fixed by developing a generic emptiness check [6]. Addition- 
ally the support for arbitrary acceptance conditions has allowed us to implement 
many useful algorithms; the most recent being the Alternating Cycle Decompo- 
sition [15,16] a powerful data structure with many applications (conversion to 
parity acceptance, degeneralization, typeness checks...)!. 

There have been 56 releases of Spot since version 2.0, but only 10 of these 
are major releases. Releases are numbered 2.x.y where y is updated for minor 
upgrades that mostly fix bugs, and x is updated for major release that add new 
features. (The leading 2 would be incremented in case of a serious redesign of the 
API.) Table2 summarizes the highlights of the various releases in chronological 
order. Not appearing in this list are many micro-optimizations and usability 
improvements that Spot has accumulated over the years. 


2 Use-cases of Spot, and Related Tools 


As it is a library, there are many ways to use Spot. We are mostly aware of such 
uses via citations”. Historical and frequent uses-cases are to use Spot for trans- 
lating LTL formulas to automata (Winners of the sequential LTL and parallel 
LTL tracks of RERS’19 challenge [26] both used Spot to translate the properties 
into automata, many competitors on the Model Checking Contest [28] also use 


1 https: //spot.Irde.epita.fr/ipynb/zlktree. html. 
2 Our previous tool paper [21] has over 250 citations according to Google scholar. 
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2004 
2012 
2013 


2016 


2017 


2018 


2019 


2020 


2021 
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0.x C++03 
0.9 
1.0 


1.1 
1.2 


2.0 C+11 


2.1 


2.2 


2.4 C+14 


2.6 


2.7 


2.10 C+t+17 


Table 2. Milestones in the history of Spot. 


Prehistory of the project. [20] 
Support for some PSL operators. 


Command-line tools, mostly focused on LTL/PSL input [19]. Includes 
ltlcross, a clone of LBTT [42]. Python bindings. 


Automatic detection of stutter-invariant formulas. [36] 


SAT-based minimization [3,4]. 1tlcross and the new dstar2tgba can 
read Rabin and Streett automata produced by 1t12dstar [27]. 


Rewrite of the LTL formulas representation. Rewrite of the automaton 
class to allow arbitrary acceptance. Support for the HOA format. More 
command-line tools, now that automata can be exchanged with other 
tools. [21] New determinization procedure. 


Conversion to generalized Streett or Rabin. Small usability improve- 
ments all around (like better support for CSV files). 


LTLf—LTL conversion [24]. Faster simulation-based reduction of 
deterministic automata. 


Initial support for alternating automata and alternation removal. 
400% faster emptiness check. Incremental SAT-based minimization. 
Classification in the temporal hierarchy of Manna & Pnueli [34]. 


New command-line tools: autcross to check and compare automata 
transformations, genaut to generate families of automata. Dualization 
of automata. Conversion from Rabin to Biichi [31] updated to support 
transition-based input. Relabeling of LTL formulas with large Boolean 
subformulas to speedup their translation. 


New command-line tool 1t1lsynt for synthesis of AIGER circuits from 
LTL specifications. [35] Conversions to co-Biichi [10]. Utilities for con- 
verting between parity acceptance conditions. Detection of stutter- 
invariant states. Determinization optimized. 


Compile-time option to support more than 32 colors. Specialized trans- 
lation for formulas of the type GF(y) if y is a guarantee. New transla- 
tion mode to output automata with unconstrained acceptance con- 
dition. Semi-deterministic complementation [8]. Faster detection of 
obligation properties. Online LTL translator replaced by a new web 
application (see Fig. 4). 

LAR-based paritization in 1tlsynt. Generic emptiness check [6]. 
Detection of liveness properties [2]. 


Accepting run extraction for arbitrary acceptance. Introduction of an 
“output_aborter” to abort constructions that are too large. Support 
for SVA’s delay syntax, and first_match operator [1]. Minimization 
of parity acceptance [14]. 

Better paritization, partial degeneralization, and acceptance simplifi- 
cations [39]. Weak and strong variants of X. Xor product of automata, 
used while translating formulas to automata with unconstrained 
acceptance. 


1ltlsynt overhauled [40]. Support for games and Mealy machines. 
Mealy machines simplifications. Multiple encodings from Mealy 
machine to AIGER. Experimental twacube class for parallel algo- 
rithms. Support for transition-based Biichi. Zielonka Trees and Alter- 
nating Cycle Decomposition [15, 16] 
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Spot this way), or to use it as a research/development toolbox, since it provides 
helper tools for generation of random formulas/automata, verification of LTL- 
to-automata translation, simplifications, syntax conversions, etc. Nowadays, the 
algorithms for w-automata implemented in Spot are often used as baseline for 
studying better algorithms [e.g., 18,25,32,33], but we also see some new appli- 
cations built on top of w-automata algorithms from Spot [e.g., 12,13]. 

The projects that have the largest intersections of features with Spot seem to 
be GOAL [43] and Owl [30]. These are two Java-based frameworks that deal with 
similar objects and provide a range of algorithms. Owl and Spot share a simi- 
lar and traditional Unix view of the command-line experience, where multiple 
commands are expected to be chained with pipes, and they both communicate 
smoothly via the HOA format [5]. GOAL is centered on a graphical interface in 
which the user can edit automata, and apply algorithms listed in menu entries. 
Using GOAL from the command-line is possible by writing short scripts in a 
custom language. 

As far as interfacing goes, the most important feature of Spot is probably 
that it exposes its algorithms and data structures in Python. Beside being usable 
as a glue language between various tools, this allows us (1) to leverage Python’s 
ecosystem and (2) to quickly prototype new algorithms in Python. 


3 Automata Representation 


In this section and the next three, we focuses on how the storage of automata 
evolved to support alternation, games, and Mealy machines. 

The main automaton class of Spot is called twa_graph and inherits from the 
twa class. The letters twa stand for Transition-based w-Automaton. 

The class twa implements an abstract interface that allows on-the-fly explo- 
ration of an automaton similar to what had been present in Spot from the start: 
essentially, one can query the initial state, and query the transitions leaving 
any known state. In particular, before exploring the state-space of a twa, it is 
unknown how many states are reachable. Various subclasses of twa are provided 
in Spot, for instance to represent the state-space of Promela or Divine mod- 
els [21]. Users may create subclasses, for instance to create a Kripke structure 
on-the-fly.’ 

The class twa-graph, introduced in Spot 2.0, implements an explicit, graph- 
based, representation of an automaton, in which states and edges are designated 
by integers. This makes for a much simpler interfacet and usually simplifies the 
data structures used in algorithms (since states and edges can be used as indices 
in arrays). The data structure is best illustrated by using the show_storage() 
method of the Python bindings, as shown by Fig. 1. A twa_graph is stored as 
two C++ vectors: a vector of states, and a vector of edges. For each state, the first 
vector stores two edge numbers: succ is the first outgoing edge, and succ_tail 
is the last one. These number are indices into the edge vector, which stores five 
pieces of information per edge. Four of them are related to the identity of the 


3 As demonstrated by https://spot.|Irde.epita.fr/tut51.html. 
4 Contrast on-the-fly and explicit APIs at https://spot.lrde.epita.fr/tut50.html. 
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In [2]: aut = spot.translate('GF(a <-> Xa) & FGb', ‘det', ‘gen') 
aut 


Out [2]: 


Fin(Q) & Inf(@) 
[Rabin 1] 


In [3]: aut.show_storage() 


[cond þem [kd [aed [ek [Rd pem [ak [aed] 
e o a o a o o o 
em 


Out [3]: 


o o 
sre 
prop_state_acc: maybe 
prop_inherently_weak: maybe 
prop_terminal: no 
init_state: oo prop_weak: maybe 
num_sets: 2 prop_very_weak: maybe 
acceptance: Fin(0) & Inf(1) prop_complete: maybe 
ap_vars: ba prop_universal: yes 
prop_unambiguous: yes 
prop_semi_deterministic: yes 
prop_stutter_invariant: maybe 


Fig. 1. Internal representation of a twa_graph as two vectors. 


edge: src, dst, cond, acc are respectively the source, destination, guard, and 
color sets of the edge. The remaining field, next_succ gives the next outgoing 
edge, effectively creating a linked list of all edges leaving a given state. There 
is no edge 0: this value is used as terminator for such lists. Outgoing edges of 
the same state are not necessarily adjacent in that structure. When a new edge 
is added to the automaton, it is simply appended to the edge vector, and the 
succ_tail field of the state is used to update the previous end of the list. 

To iterate over successors of state 1 in C++ or Python, one can ignore the 
above linked list implementation and write one of the following loops: 


for (auto& e: aut->out(1)) for e in aut.out(1): 
// use e.cond, e.acc, e.dst # use e.cond, e.acc, e.dst 


The twa_graph::out methods simply returns a lightweight temporary object 
which can be iterated upon using iterators that will follow the linked list. Then 
the object e is effectively a reference to a column of the edge vector. 

As seen on Fig.1, the automaton additionally stores an initial state (Spot 
only supports a single initial state), a number of colors (num_sets), an acceptance 
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condition, a list of atomic propositions (Spot only supports alphabets of the form 
24”) and 10 fields storing structural properties of the automaton. 

These property fields have only three possible values: they default to maybe, 
but can be set to no or yes by algorithms that work on the automaton. They can 
also be read and written in the HOA format. For instance if prop_universal is 
set to yes, it means that automaton does not have any existential choice (a.k.a. 
non-determinism). Spot’s is_deterministic() algorithm can return in constant 
time if prop_universal is known, otherwise it will inspect the automaton and 
set that property before returning, so that the next call to is_deterministic() 
will be instantaneous. Some algorithms know how to take advantage of any hint 
they get from those properties: for instance the product () of two automata is 
optimized to use fewer colors when one of the arguments is known to be weak 
(i.e., in an SCC all transitions have the same colors). 

Note that algorithms that modify an automaton in place have to remember 
to update those properties. This has caused a couple of bugs over the years. 


4 Introduction of Alternating Automata 


Support for alternating w-automata, as defined in the HOA format, was added 
to Spot in version 2.3 without introducing a new class. Rather, the twa_graph 
class was extended to support alternation in such a way that existing algorithms 
would not require any modification to continue working on automata without 
universal branching. This was done by reserving the sign bit of the destination 
state number of each transition to signal universal branching. 

Figure 2 shows an example of Alternating automaton (top-left) with co-Biichi 
acceptance. In many works on alternating automata, it is conventional to not 
represent accepting sinks, and instead have transition without destination. The 
top-right picture shows that Spot has a rendering option to hide accepting sinks. 

The bottom of the figure shows that the automaton has prop_state_acc set, 
which means that the automaton is meant to be interpreted as using state-based 
acceptance. Colors are still stored on edges internally, but all edges leaving a 
state have the same colors. Seeing that the condition is co-Biichi (Fin(0)), the 
display code automatically switched to the convention of using double-circles for 
rejecting states. 

Destinations with the sign bit set are called universal destination groups 
and appear as pink in the figure. There are two groups here: ~O and ~3. The 
complement of these numbers can be used as indices in the dests vector, that 
actually store the destination groups. At the given index, one can read the size 
n of the destination group, followed by the state number of the n destinations. 

Algorithms that work on alternating automata need to be able to iterate 
over all destinations of an edge. The process of checking the sign bit of the des- 
tination to decide if its a group, and to iterate on that group is hidden by the 
univ_dests() method: 
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display_inline(aut2, aut2.show('.u'), per_row=2) 


[co-Biichi] [co-Biichi] 


aut2.show_storage() 


dests ~0 ~3 
prop_state_acc: yes 
prop_inherently_weak: maybe 
prop_terminal: maybe 
init_state: e prop_weak: maybe 
num_ sets: 1 prop_very_weak: maybe 
acceptance: Fin(0) prop_complete: no 
ap_vars: ba prop_universal: yes 
prop_unambiguous: yes 
prop_semi_deterministic: yes 
prop_stutter_invariant: maybe 


Fig. 2. Internal representation of alternating automata. 


for(auto& e: aut->out(1)) { for e in aut.out(1): 

// use e.cond, e.acc, e.src # use e.cond, e.acc, e.src 
for (unsigned d:aut->univ_dests(e)) for d in aut.univ_dests (e): 
// use d # use d 

} 


Note that this code works on non-universal branches as well: if e.dst is 
unsigned, univ_dests(e) will simply iterate on that unique value. 

Spot has two alternation removal procedures. One is an on-the-fly implemen- 
tation of the Breakpoint construction [37] which transforms an n-state alternat- 
ing Büchi automaton into a non-alternating Biichi automaton with at most 3” 
states. For very weak alternating automata, it is known that a powerset-based 
procedure can produce a transition-based generalized Biichi automaton with 2” 
states [23]; in fact that algorithm even works on ordered automata [11], i.e., 
alternating automata where the only rejecting cycles are self-loops. The second 
alternation removal procedure of Spot is a mix between these two procedures 
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but does not work on the fly: it takes a weak automaton as input, and uses the 
break-point construction on rejectings SCCs that have more than one state, and 
uses the powerset construction for other SCCs. 


5 Extending Automata via Named Properties 


Spot’s automata have a mechanism to attach arbitrary data to automata, called 
named properties. (This is similar to the notion of attributes in the R language.) 
An object can be attached to the automaton with: 


aut->set_named_prop("property-name", new mytype(...)); 


and later retrieved with: 


mytype* data = aut->get_named_prop<mytype>("property-name") ; 


Ensuring that mytype is the correct type for the retrieved property is the 
programmer’s responsibility. 

Spot has grown a list of many such properties over time.” For instance 
automaton-name stores a string that would be displayed as the name of the 
automaton. The highlight-edges and highlight-states properties can be 
used to color edges and states. The state-names is a vector of strings that 
gives a name to each state, etc. While those examples are mostly related to the 
graphical rendering of the automata, some algorithms store useful byproducts as 
properties. For instance the product () algorithm will define a product-states 
named property that store a vector of pairs of the original states. 

These named properties are sometimes used to provide additional semantics 
to the automaton, for instance to obtain a game or a Mealy machine. 


6 Games, Mealy Machines, and LTL Synthesis 


The application of Spot to LTL synthesis was introduced in Spot 2.5 in the form 
of the 1tlsynt tool [85], but the inner workings of this tool were progressively 
redesigned and publicly exposed until version 2.10. 

An automaton can now be turned into a game by attaching the state-player 
property to it.° Only two-player games are supported, so state-player should 
be a std: : vector<bool>. Currently, Spot has solvers for safety games and for 
games with parity max odd acceptance, but we plan to at least generalize the 
latter to any kind of parity condition. Once a game has been solved, it contains 
two new named properties: state-winner (a std: :vector<bool> indexed by 
state numbers indicating the player winning in each state), and strategy (a 
std: :vector<unsigned> that gives for each state the edge that its owner should 
follow to win). 


5 https: //spot.Irde.epita.fr /concepts.html#named- properties. 
6 https: //spot.Irde.epita.fr/tut40.html illustrates how a game can be used to decide if 
a state simulates another one. 
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game = spot.automaton("ltlsynt --outs=b -f 'F(a&Xa) <-> Fb' --print-game-hoa |") 
spot.solve_game(game) 

spot.highlight_strategy (game) 

game 


Inf(@) | (Fin(@) & (Inf(@) | Fog (Inf(@) | Fin(®))))) 


[parity max o 


ib la 


mealy = spot.solved_game_to_mealy(game) 
aig = spot.mealy_machine_to_aig(mealy, "isop") 
display_inline(mealy, aig.show('h')) 


la / 'b a/b 
PORSO TE” 


Fig. 3. (top) Solving a game to display the strategy. States with green borders are 
winning for player 1, who wants to satisfy the acceptance condition, by following the 
green arrows. States with red color are winning for player 0, who wants to fail the 
acceptance condition, by following the red arrows. (bottom) Conversion of the winning 
strategy to a Mealy machine and then an AIGER circuit. (Color figure online) 


Figure 3 shows an example of game generated by 1tlsynt, and how we can 
display the winning strategy once the game is solved. The winning strategy can 
be extracted and converted into a Mealy machine, which is just an automaton 
that uses the synthesis-output property to specify which atomic propositions 
belong to the output. Such a Mealy machine can then be encoded into an AND- 
inverter graph, and saved into the AIGER format [7]. Here LO represents a latch, 
i.e., one bit of memory, that stores the previous value of a so that the circuit 
can output b if and only if a is true in the present and in the previous step. 


7 Online Application for LTL Formulas 


The Python ecosystem makes it easy to develop web interfaces for convenient 
access to a subset of features of Spot. For instance Fig. 4 shows screenshots of a 
web application built using a React frontend, and running Spot on the server. 
It can transform LTL formulas into automata, can display many properties of 
a formula (membership to the Manna & Pnueli hierarchy [34], Safety /Liveness 
classification [2], Rabin and Streett indices [14], stutter-invariance [36]), or sim- 
ply compare two formulas using a Venn diagram. 
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REWRITE STUDY COMPARE TRANSLATE 


JÐ Expert mode (2) Input formula 


GF(a & X(!a & Xb)) & 
REWRITE STUDY COMPARE TRANSLATE 
Input formula Hierarchy of £ Reactivity 5 
Manna and Pnueli $ S 
GF((b | Fa) & (b R Xb)) <-> FGc ie. 2 x 
This formula 2 Recurrence — Persistence È 
describes a E 
Acceptance: Emerson-Lei (generic recurrence 3 
ee) m property. A Obligation Z 
Safety-Liveness a 
= © 
Deterministic automaton with 2 states and 8 edges. classification 2 Safety Guarantee £ 
=— This farmul i) = 
(Fin( (©) & nO) or & Fin(@)) First formula a = 
apIn-IIKe 
[ Xa U Gb a 
Second formula 
Gb R Xa & 


The two formulas are incomparable. 


Ws 
w: cycle{a & b} 
wz b; cycle{a & !b} 
HOA Wa: cycle{!a & !b} 
w: cycle{!a & b} 


Fig. 4. A web application, built on top of Spot. https://spot.Irde.epita.fr/app/ 


This application has been found to be useful for teaching about LTL and its 
relation with automata, but is also a helpful research tool. 


8 Shortcomings and One Future Direction 


While Spot has been used for many applications, there are two recurrent issues: 
they are related to the types used for some fields of the edge vector (see Figs. 1- 
2). By default, the set of colors that labels an edge (the acc field) is stored as a 
32-bit bit-vector, the transition label (cond, a formula over 24”), is stored as a 
BDD identified by a unique 32-bit integer, and the other three fields (src, dst, 
next_succ) are all 32-bit integers. One edge therefore takes 20 bytes. 

While limiting the number of states to 32-bit integers has never been a prob- 
lem so far, the limit of 32 colors can be hit easily. Spot 2.6 added a compile-time 
option to enlarge the number of supported colors to any multiple of 32; this 
evidently has a memory cost (and therefore also a runtime cost) as the acc field 
will be larger for each edge. However this constraint generally means that all 
the algorithms we implement try to be “color-efficient”, i.e., to not introduce 
useless colors. For instance while the product of an automaton with x colors 
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and an automaton with y colors is usually an automaton with x + y colors, 
the product() implementation will output fewer colors in presence of a weak 
automaton. 

The use of BDDs as edge labels causes another type of issues. Spot uses a 
customized version of the BuDDy library, with additional functions, and sev- 
eral optimizations (more compact BDD nodes for better cache friendliness, most 
operations have been rewritten to be recursion-free). However BuDDy is inher- 
ently not thread safe, because of its global unicity table and caches. This prevents 
us from doing any kind of parallel processing on automata. A long term plan is 
to introduce a new class twacube that represent an automaton in which edges 
are cubes (i.e., conjunctions of literals) represented using two bit-vectors. Such 
a class was experimentally introduced in Spot 2.10 and is currently used in some 
parallel emptiness check procedures [38]. 
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Abstract. We present the tool RANKER for complementing Biichi 
automata (BAs). RANKER builds on our previous optimizations of rank- 
based BA complementation and pushes them even further using numer- 
ous heuristics to produce even smaller automata. Moreover, it con- 
tains novel optimizations of specialized constructions for complementing 
(i) inherently weak automata and (ii) semi-deterministic automata, all 
delivered in a robust tool. The optimizations significantly improve the 
usability of RANKER, as shown in an extensive experimental evaluation 
with real-world benchmarks, where RANKER produced in the majority 
of cases a strictly smaller complement than other state-of-the-art tools. 


1 Introduction 


Biichi automata (BA) complementation is an essential operation in the tool- 
box of automata theory, logic, and formal methods. It has many applications, 
e.g., implementing negation in decision procedures of some logics (such as the 
monadic second-order logic S15 [1,2], the temporal logics EPTL and QPTL [3], 
or the first-order logic over Sturmian words [4]), proving termination of pro- 
grams [5-7], or model checking of temporal properties [8]. BA complementation 
also serves as the foundation stone of algorithms for checking inclusion and equiv- 
alence of w-regular languages. In all applications of BAs, the number of states of 
a BA affects the overall performance. The many uses of BA complementation, as 
well as the challenging theoretical nature of the problem, has incited researchers 
to develop a number of different approaches, e.g., determinization-based [9-11], 
rank-based [12-14], or Ramsey-based [1,15], some of them [14,16] producing BAs 
with the number of states asymptotically matching the lower bound (0.76n)” of 
Yan [17]. Despite their theoretical optimality, for many real-world cases the con- 
structions create BAs with a lot of unnecessary states, so optimizations making 
the algorithms efficient in practice are needed. 

We present RANKER, a robust tool for complementing (transition- 
based) BAs. RANKER uses several complementation approaches based on prop- 
erties of the input BA: it combines an optimization of the rank-based proce- 
dure developed in [18-20] with specialized (and further optimized) procedures 
for complementing semi-deterministic BAs [21], inherently weak BAs [22,23], 
© The Author(s) 2022 
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and elevator BAs [19]. An extensive experimental evaluation on a wide range of 
automata occurring in practice shows that RANKER can obtain a smaller com- 
plement in the majority of cases compared to the other state-of-the-art tools. 


Contribution. We describe a major improvement of RANKER [18,19], turning it 
from a prototype into a robust tool. We list the particular optimizations below. 


— We extended the original BA complementation procedure with improved deel- 
evation (cf. [19]) and advanced automata reductions. 

— We also equipped RANKER with specialized constructions tailored for widely- 
used semi-deterministic and inherently weak automata. 

— On top of that, we propose novel optimizations of the original NCSB con- 
struction for semi-deterministic BAs and a simulation-based optimization of 
the Miyano-Hayashi algorithm for complementing inherently weak automata. 


All of these improvements are pushing the capabilities of RANKER, and also of 
practical BA complementation itself, much further. 


2 Biichi Automata 


Words, Functions. We fix a finite nonempty alphabet © and the first infinite 
ordinal w = {0,1,...}. An (infinite) word a is a function a: w — © where the 
i-th symbol is denoted as a;. We abuse notation and sometimes represent œ as 
an infinite sequence a = aga,... X“ denotes the set of all infinite words over X. 


Biichi Automata. A (nondeterministic transition/state-based) Btichi automaton 
(BA) over È is a quintuple A = (Q, ô, I, Qr, r) where Q is a finite set of states, 
ô: Q xd — 22 is a transition function, I C Q is the sets of initial states, and 
Qr C Q and ôr C ô are the sets of accepting states and accepting transitions 
respectively. A is called deterministic if |I| < 1 and |6(q,a)| < 1 for each q E€ Q 
and a € ©. We sometimes treat ô as a set of transitions p — q, for instance, we 
use p > q € 6 to denote that q € 6(p,a). Moreover, we extend 6 to sets of states 
P C Q as ô(P, a) = Unep 6(p, a). The notation ôl for S C Q is used to denote 
the restriction of the transition function ôN (S x © x S). Moreover, for q € Q, 
we use A|q] to denote the automaton (Q, 6, {q4}, Qr, Or). 

A run of A from q € Q on an input word a is an infinite sequence p: w > Q 
that starts in q and respects 6, i.e., pọ = q and Vi > 0: p; Š pipı E 6. Let 
info, (p) C QUS denote the set of states and transitions occurring in p infinitely 
often. The run p is called accepting iff info, s(p) N (Qr U ôr) # 0. A word a is 
accepted by A from a state q E€ Q if A has an accepting run p on q from q, 
i.e., po = q. The set La(q) = {a € SY” | A accepts a from q} is called the 
language of q (in A). Given a set of states R C Q, we define the language of R 
as La(R) = Uer £a(9) and the language of A as L(A) = La(J). If dr = 0, we 
call A state-based and if Qr = f, we call A transition-based. 

A co-Biichi automaton (co-BA) C is the same as a BA except the definition 
of when a run is accepting: a run p of C is accepting iff infg.5(p) (QrUdr) = 0. 
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Fig. 1. Overview of the architecture of RANKER with the most important command- 
line options. Default settings are highlighted in blue. (Color figure online) 


Automata Types. Let A = (Q,6,1,Qr,0r) be a BA. C C Q is a strongly con- 
nected component (SCC) of A if for any pair of states q,q’ € C it holds that q 
is reachable from q’ and q’ is reachable from q. C is maximal (MSCC) if it 
is not a proper subset of another SCC. An MSCC is non-accepting if it con- 
tains no accepting state and no accepting transition. We say that an SCC C 
is inherently weak accepting (IWA) iff every cycle in the transition diagram 
of A restricted to C contains an accepting state or an accepting transition. 
We say that an SCC C is deterministic iff (C, bla 0,0,0) is deterministic. A is 
inherently weak (IW) if all its MSCCs are inherently weak accepting or non- 
accepting, and weak if for states g,q’ that belong to the same SCC, q E€ QF 
iff q € Qr. A is semi-deterministic (SDBA) if A[g] is deterministic for every 
qEQrU{pEQ|s pE bp,s € Q,a € E}. Finally, A is called elevator if all 
its MSCCs are inherently weak accepting, deterministic, or non-accepting. 


3 Architecture 


RANKER [24] is a publicly available command line tool, written in C++, imple- 
menting several approaches for complementation of (transition/state-based) 
Büchi automata. As an input, RANKER accepts BAs in the HOA [25] or the 
simpler ba [26] format. The architecture overview is shown in Fig. 1. An input 
automaton is first adjusted by various structural preprocessing steps to an inter- 
mediate equivalent automaton with a form suitable for a complementation pro- 
cedure. Based on the intermediate automaton type, a concrete complementation 
procedure is used. The result of the complementation is subsequently polished 
by postprocessing steps, yielding an automaton on the output. In the following 
text, we provide details about the internal blocks of RANKER’s architecture. 


3.1 Preprocessing and Postprocessing 


Before an input BA is sent to the complementation block itself, it is first trans- 
formed into a form most suitable for a concrete complementation technique. 
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On top of that as a part of preprocessing, we identify structural features that 
are further used to enabling/disabling certain optimizations during the comple- 
mentation. After the complementation, the resulting automaton is optionally 
reduced in a postprocessing step. RANKER provides several options of prepro- 
cessing /postprocessing that are discussed below. 


Preprocessing. The following are the most important settings for preprocessing: 


— Reduction: In order to obtain a smaller automaton, reduction using direct 
simulation [27] can be applied (--preprocess=red). Moreover, if the input 
automaton is IW or SDBA, we transform it into a transition-based BA, which 
might be smaller (we only do local modifications and merge two states if 
they have the same successors while moving the acceptance condition from 
states to transitions entering accepting states). We, however, do not use this 
strategy for other BAs, because despite their possibly more compact rep- 
resentation, this reduction limits the effect of some optimizations used in 
the rank-based complementation procedure (the presence of accepting states 
allows to decrease the rank bound, cf. [19]). 

— Deelevation [19]: For elevator automata, RANKER supports a couple of deel- 
evation strategies (extending a basic version introduced in [19]). Roughly 
speaking, deelevation makes a copy of MSCCs such that each copied MSCC 
becomes a terminal component (i.e., no run can leave it) and accepting 
states/transitions are removed from the original component (we call this the 
deelevation of the component). Deelevation increases the number of states but 
decreases the rank bounds for rank-based complementation. RANKER offers 
several strategies that differ on which components are deelevated: 

e --preprocess=copyall: Every component is deelevated. 

e —-preprocess=copyiwa: Only IWA components are deelevated. 

e --preprocess=copyheur: This option combines two modifications 
applied in sequence: (i) If the input BA is not IW and the rank bound 
estimation [19] of the BA is at least 5, then all MSCCs with an accepting 
state/transition are deelevated (the higher rank bound indicates a longer 
sequence of components, for which deelevation is likely to be benefical). 
(ii) If on all paths from all initial states of the intermediate BA, the first 
non-trivial MSCC is non-accepting, then we partially determinize the ini- 
tial part of the BA (up to the first non-trivial MSCCs); this reduces sizes 
of macrostates obtained in rank-based complementation. 

— Saturation of accepting states/transitions: Since a higher number of accept- 
ing states and transitions can help the rank-based complementation pro- 
cedure, RANKER can (using --preprocess=accsat) saturate accepting 
states/transitions in the input BA (while preserving the language). This is, 
however, not always beneficial; for instance, saturation can break the struc- 
ture for elevator rank estimation (cf. [19]). 

— Feature extraction: During preprocessing, we extract features of the BA that 
can help the complementation procedure in the second step. The features are, 
e.g., the type of the BA, rank bounds for individual states [19], or settings 
of particular optimizations from [18] (e.g., for deterministic automata with 
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Fig. 2. Overview of complementation approaches used in RANKER. 


a smaller rank bound, it is counter-productive to use techniques reducing the 
rank bound based on reasoning about the waiting part). 


Postprocessing. After the complementation procedure finishes, RANKER removes 
useless states and optionally applies simulation reduction (--postprocess=red). 


3.2 Complementation Approaches 


Based on the automaton type, RANKER uses several approaches for complemen- 
tation (cf. Fig. 2). These are, ordered by decreasing priority, the following: 


— Inherently weak BAs: For the complementation of inherently weak automata, 
both the Miyano-Hayashi construction [22] and its optimization of adjusting 
macrostates (described in Sect. 4.1), are implemented. The construction con- 
verts an input automaton into an intermediate equivalent co-Biichi automa- 
ton, which is then complemented. The implemented optimizations adjust 
macrostates of the Miyano-Hayashi construction according to a direct simula- 
tion relation. By default (--best), the Miyano-Hayashi construction and the 
optimization of pruning simulation-smaller states from macrostates are used 
and the smaller result is output. For the option --light, only the optimized 
construction is used. 

— Semi-deterministic BA: For SDBAs, RANKER by default (--best) uses both 
an NCSB-based [21] procedure and an optimized rank-based construction 
with advanced rank estimation [18,19]; the smaller result is picked. The 
particular NCSB-based procedure used is NCSB-MAXRANK from Sect. 4.2 
(RANKER also contains an implementation of NCSB-LaAzy from [7], which 
can be turned on using --ncsb-lazy, but usually gives worse results). For 
the option --light, only NCSB-MAXRANKxX is used. 

— Otherwise: For BAs with no special structure, RANKER uses the optimized 
rank-based complementation algorithm from [18,19] with SPOT as the back- 
off [18] (i.e., RANKER can determine when the input has a structure that 
is bad for the rank-based procedure and use another approach). Particular 
optimizations are selected according to the features of the input BA (e.g., the 
number of states or the structure of the automaton). 
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4 Optimizations of the Constructions 


In this section, we provide details about new optimizations of complementation 
of inherently weak and semi-deterministic automata implemented in RANKER. 
Proofs of their correctness can be found in the technical report [28]. 


4.1 Macrostates Adjustment for Inherently Weak Automata 


For complementing IW automata, RANKER uses a method based on the Miyano- 
Hayashi construction (denoted as MIHAy) [22]: In the first step, accepting states 
of an input IW BA A are saturated to obtain a language-equivalent weak automa- 
ton W = (Q,6,1,Qr,0) (we remove accepting transitions because they do not 
provide any advantage for IW automata). In the second step, W is converted to 
the equivalent co-Biichi automaton C = (Q,6,1,Q = Q \ Qr,9) by swapping 
accepting and non-accepting states. Finally, the Miyano-Hayashi construction is 
used to obtain the complement (state-based) BA. 

Our optimizations of the MIHAy procedure are inspired by optimizations 
of the determinization algorithm for automata over finite words [29] and by 
saturation of macrostates in rank-based BA complementation procedure [20], 
where simulation relations are used to adjust macrostates in order to obtain 
a smaller automaton. We modify the original construction by introducing 
an adjustment function that modifies obtained macrostates, either to obtain 
smaller macrostates (for pruning strategy) or larger macrostates (for satu- 
rating strategy; the hope is that more original macrostates map to the same 
saturated macrostate). Formally, given a co-BA C and an adjustment function 
0: 22 — 2°, the construction MIHAY, gives the (deterministic, state-based) BA 
MrHaye(C) = (Q’, 6’, I’, Qr, 0), whose components are defined as follows: 


- Q =22 x 22, 
= T = {((2), 0D) O): 
— 0'((S, B), a) = (S', B’) where 
e S’=0(6(S,a)), 
e and 
x B' = S'\ Qr if B= or 
+B =(6( Ba) N S’) \ QF if BAU, and 
- F'=28 x {Hp}. 


Intuitively, the construction tracks in the S-component all runs over a word 
and uses the B-component to check that each of the runs sees infinitely many 
accepting states from Qp (by a cut-point construction). The original MIHAy 
procedure can be obtained by ee identity for the adjustment function, 0 = id. 
In the following, we use x” and = to denote a direct simulation on W and 
a jar simulation on C DE (see, e.g., [30] for more details; in particular, 
p 35 mye iff for every trace of C from state p over a with finitely many accepting 
states, there exists a trace from q with finitely many accepting states over a). 
Let E C Q x Q be a relation on the states of C defined as follows: p E q iff (i) 
p 3x <4 q, (ii) q is reachable from p in C, and (iii) either p is not reachable from q 
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in C or p = q. The two adjustment functions pr, sat: 2° — 2° are then defined 
for each S' C Q as follows: 


— pruning: pr(S') = S' where S’ C S is the lexicographically smallest set (given 
a fixed ordering on Q) such that Yq € Sdq’ € S’: q E q' and 
— saturating: sat(S) = {pE Q| HEQ: p my q}. 


Informally, pr removes simulation-smaller states and sat saturates a macrostate 
with all simulation-smaller states.! The correctness of the constructions is sum- 
marized by the following theorem: 


Theorem 1. For a co-BA C, L(MIHAYsat(C)) = L(M1HAY pr (C)) = LY \ L(C). 


In RANKER, we approximate a fair simulation s$ by a direct simulation EA 
(which is easier to compute); the correctness holds due to the following lemma: 


Lemma 2. Let W = (Q,6,1,Qr,0) be a weak BA and C = (Q,8,I, Qp = 
Q \ Qr, 0) be a co-BA. Then x” C sÇ. 


4.2 NCSB-MaxRank Construction 


The structure of semi-deterministic BAs allows to use more efficient complemen- 
tation techniques. From the point of view of rank-based complementation, the 
maximum rank of semi-deterministic automata can be bounded by 3. If a rank- 
based complementation procedure based on tight rankings (such as [18,19]) is 
used to complement an SDBA, it can suffer from having too many states due to 
the presence of the waiting part (intuitively, runs wait in the waiting part of the 
complement until they can see only tight rankings, then they jump to the tight 
part where they can accept, cf. [13,14,18] for more details). Furthermore, the 
information about ranks of individual runs may sometimes be more precise than 
necessary, which disables merging some runs. The NCSB construction [21] over- 
comes these issues by not considering the waiting part and keeping only rough 
information about the ranks. As a matter of fact, NCSB and the rank-based 
approach are not comparable due to tight-rankings and additional techniques 
restricting the ranking functions [18,19], taking into account structural proper- 
ties of the automaton, which is why RANKER in the default setting tries both 
rank-based and NCSB-based procedures for complementing SDBAs. 

An issue of the NCSB algorithm is a high degree of nondeterminism of the 
constructed BA (and therefore also a higher number of states). The NCSB-Lazy 
construction [7] improves the original algorithm with postponing the nondeter- 
ministic choices, which usually produces smaller results. Even the NCSB-LAZyY 
construction may, however, suffer in some cases from generating too many suc- 
cessors. We propose an improvement of the original NCSB algorithm, inspired 
by the MAXRANK construction in rank-based complementation from [18] (which 


1 It has been brought to our attention by Alexandre Duret-Lutz that a strategy similar 
to pruning with direct simulation has been implemented in SPOT’s [31] determiniza- 
tion and, moreover, generalized in [32] to also work in some cases within SCCs. 


Complementing Biichi Automata with Ranker 195 


is inspired by [14, Section 4]), hence called the NCSB-MaAxRank construction, 
reducing the number of successors of any macrostate and symbol to at most two. 

Formally, for a given SDBA A = (Q,WQ2, 6 = 6, Wd2W0;, I, Qr, Or) where Qo 
are the states reachable from an accepting state or transition and Q, is the rest, 
61 = ÒQ, 62 = djg,, and ð is the transition function between Qı and Qo, 
we define NCSB-MAxRANK(A) = (Q’, 1’, 6’, Q’p,0) to be the (state-based) BA 
whose components are the following: 


- Q! ={(N,C,S, B) € 2% x 292 x 2@2\@r x 992 | BC C}, 
- F ={(Q1NI,Q2N 1,0, QN D}, 
— ô = y1 U %2 where the successors of a macrostate (N, C, S, B) over a € X are 
defined such that if ôr (S,a) #0 then &'((N, C, S, B), a) = Ø, else 
e yi((N,C, S, B), a) = {(N', C", S', B')} where 
x N' = ô (N,a), 
* S' = ô (S,a), 
x C’ = (&(N,a) U ð (C, a)) \ $", and 
x B' = C' if B = f, otherwise B’ = (B, a) NC’. 
e If B'NQr = l, we also set y2((N, C, S, B), a) = {(N', C°, S°, B°) } with 


« B° =Í, 
x S° = S’U B', and 
x C° =C"\ S°, 


else y2((N,C, S, B), a) = 9. 


Intuitively, NCSB-MAXRANK provides at most two choices for each macrostate: 
either keep all states in B or move all states from B to S (if B contains no 
accepting state). If a word is not accepted by A, it will be safe to put all states 
from B to S at some point. The construction is in fact incomparable to the orig- 
inal NCSB algorithm [21] (in particular due to the condition C” C d2(C'\ Qr,a), 
which need not hold in NCSB-MAXRANK). Correctness of the construction is 
given by the following theorem. 


Theorem 3. Let A be an SDBA. Then L(NCSB-MAXRANK(A)) = ©Y \ L(A). 


5 Experimental Evaluation 


We compared the improved version of RANKER presented in this paper with 
other state-of-the-art tools, namely, GOAL [33] (implementing PITERMAN [10], 
SAFRA [9], and FRIBOURG [16]), SPOT 2.9.3 [31] (implementing Redziejowski’s 
algorithm [11]), SEMINATOR 2 [34], LTL2psTar 0.5.4 [35], Rout [36], and the 
previous version of RANKER from [19], denoted as RANKERo,p. All tools were set 
to the mode where they output a state-based BA. The correctness of our imple- 
mentation was tested using SPOT’s autcross on all of BAs from our benchmarks. 
The experimental evaluation was performed on a 64-bit GNU/LINUX DEBIAN 
workstation with an Intel(R) Xeon(R) CPU E5-2620 running at 2.40 GHz with 
32 GiB of RAM, using a 5-minute timeout. Axes in plots are logarithmic. An arti- 
fact that allows reproduction of the results is available as [37]. 
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Fig. 3. Evaluation of the effect of our optimizations for IW and SDBA automata. 


Datasets. We use automata from the following three datasets: (i) random con- 
taining 11,000 BAs over a two letter alphabet used in [38], which were randomly 
generated via the Tabakov-Vardi approach [39], starting from 15 states and with 
various parameter settings; (ii) LTL with 1,721 BAs over larger alphabets (up 
to 128 symbols) used in [34], obtained from LTL formulae from literature (221) 
or randomly generated (1,500), (iii) Automizer containing 906 BAs over larger 
alphabets (up to 235 symbols) used in [7], which were obtained from the ULTI- 
MATE AUTOMIZER tool (all benchmarks are available at [40]). Note that we 
included random in order to simulate applications that cannot easily generate 
BAs of one of the easier fragments (unlike, e.g., ULTIMATE AUTOMIZER, which 
generates in most cases SDBAs) and have thus, so far, not been seriously con- 
sidered by the community due to the lack of practically efficient BA comple- 
mentation approaches (e.g., the automata-based S15 decision procedure [1]). 
All automata were preprocessed using SPOT’s autfilt (using the {-}{-}high 
simplification level), and converted to the HOA format [25]. We also removed 
trivial one-state BAs. In the end, we were left with 4,533 (random, blue data 
points), 1,716 (LTL, red data points), and 906 (Automizer, green data points) 
automata. We use all to denote their union (7,155 BAs). 


5.1 Effect of the Proposed Optimizations 


In the first part of the experimental evaluation, we measured the effect of the 
proposed optimizations from Sect. 4 on the size of the generated state space, i.e., 
sizes of output automata without any postprocessing. This use case is motivated 
by language inclusion and equivalence checking, where the size of the generated 
state space directly affects the performance of the algorithm. We carried out 
the evaluation on LTL and Automizer benchmarks (we use both to denote their 
union) since most of the automata there are either IW or SDBAs. 
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Fig. 4. Comparison of the complement size obtained by RANKER, RANKERorp, and 
SPOT (horizontal and vertical dashed lines represent timeouts). 


The first experiment compares the 
number of states generated by the orig- 
inal MıHay and by the macrostates- 


Table 1. Effects of our optimizations 
for IW and SDBA automata. Sizes of 
output BAs are given as “both (LTL : 


pruning optimization MIHAy,, from Automizer)”. 

Sect. 4.1 on inherently weak BAs (948 

BAs from LTL and 360 BAs from meno? MRAN median 
Automizer = 1,308 BAs). Note that we — uo T 0.23) 
omit MIHAY,sat as it is overall worse : = - 
than MIHAYpr. The scatter plot is  NCSB-Lazy 35.7 (25.1:44.8) 13 (9:32) 


shown in Fig. 3a and statistics are in the 

top part of Table 1. We can clearly see 

that the optimization works well, substantially decreasing both the mean and 
the median size of the output BAs. 

The second experiment compares the size of the state space generated by 
NCSB-Lazy [7] and NCSB-MAXRANK from Sect. 4.2 on 735 SDBAs (that are not 
IW) from LTL (328 BAs) and Automizer (407 BAs). We omit a comparison with 
the original NCSB [21] procedure, since NCSB-LAzy behaves overall better [7]. 
The results are in Fig. 3b and the bottom part of Table 1. Again, both the mean 
and the median are lower for NCSB-MAXRANK. The scatter plot shows that the 
effect of the optimization is stronger when the generated state space is larger (for 
BAs where the output had > 150 states, our optimization was never worse). 


5.2 Comparison with Other Tools 


In the second part of the experimental evaluation, we compared RANKER with 
other state-of-the-art tools for BA complementation. We measured how small 
output BAs we can obtain, therefore, we compared the number of states after 
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Table 2. Statistics for our experiments. The table compares the sizes of complement 
BAs obtained by RANKER and other approaches (after postprocessing). The wins and 
losses columns give the number of times when RANKER was strictly better and worse. 
The values are given for the three datasets as “all (random : LTL : Automizer)”. 
Approaches in GOAL are labelled with @. 


method mean median wins losses timeouts 


RANKERow 30 (38 : 10 : 32) 12 (18: 6: 22) 1554 (356: 650: 548) 264 (142: 69:53) 458 (259: 7: 192) 
PITERMAN © 43 (56 : 12 : 38) 14 (19: 8: 24) 2881 (1279 : 966 : 636) 392 (263: 68:61) 309 (12: 4: 293) 
SAFRA © 49 (60 : 17 : 56) 15 (18 : 10 : 24) 3109 (1348 : 1117 : 644) 274 (229: 31:14) 599 (160: 30 : 409) 
Spot 46 (57: 8:66) 11 (18: 5: 18) 1347 (935: 339: 73) 1057 (327 : 343 : 387) 73 (13: 0: 60) 
FRIBOURG @ 49 (68: 8: 27) 11 (18: ) 2223 (1177 : 503 : 543) 586 (245 : 207 : 134) 399 (93: 2: 304) 
LTL2pstar 44 (56 : 12: 47) 14 (19: ) 2794 (1297 : 924 : 573) 448 (283: 88:77) 288 (130: 13: 145) 
SEMINATOR 2 46 (58: 8: 64) 11 (17: ) 1626 (1297 : 291 : 38) 1113 (286 : 398 : 429) 419 (368: 1: 50) 
Rot 18 (15:11:54) 9 (8: ) 6050 (3824 : 1551 : 675) 620 (369 : 125 : 126) 1893 (1595: 8 : 290) 


onnon 
to 
A 


reduction using autfilt (with the simplification level --high). The scatter plots 
in Fig. 4 compare the numbers of states of automata generated by RANKER, 
RANKERo:p, and SPOT. Summarizing statistics are given in Table 2. The backoff 
strategy in RANKER was applied in 278 (264:1:13) cases. 

First, observe that RANKER sig- Table 3. Run times of the tools [s] given as 
nificantly outperforms RANKERo;p, “all (random : LTL : Automizer)” 
especially in the much lower num- 
ber of timeouts, which decreased 
by 65% (moreover, 66 of the 158 RANKERom 4.62 (5.33:0.72:9.69) 0.07 


method mean median 


0.19:0.03:0.15) 


timeouts were due to the timeout PITERMAN @ 8.06 (6.07:5.95:28.38) 5.12 (4.96 :5.08: 8.68) 
Ea Be 3 SAFRA® 11.58 (10.41:6.51:38.65) 5.41 (5.32:5.26:9.02) 
of autfilt in postprocessing). The Spor 0.64 (0.57:0.02:2.28) 0.02 (0.02:0.01:0.02) 


p FRIBOURG @ 13.13 (14.14:6.06: 23.88) 5.69 
higher mean of RANKER compared LTL2DsTAR 2.1 (2.25:0.34:5.15) 0.02 


to RANKERo;,;p is also caused by SEMINATOR 2 4.16 (6.33:0.03:1.88) 0.03 
less timeouts). From Table 2, we ROLL 23.65 (29.82:3.88:49.02) 3.34 
can also see that RANKER has the 

smallest mean and median (except ROLL and RANKERo;», but they have a much 
higher number of timeouts). RANKER has also the second lowest number of time- 
outs (SPOT has the lowest). If we look at the number of wins and loses, we 
can see that RANKER in majority of cases produces a strictly smaller automa- 
ton compared to other tools. In Table3, see that the run time of RANKER is 
comparable to the run times of other tools (much better than GOAL and ROLL, 
comparable with SEMINATOR 2, and a bit worse than SPOT and LTL2DsTAr). 


6.82:4.92:6.57) 
0.02:0.01:0.05) 
0.08 :0.01:0.03) 
6.19:1.71:17.14) 
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Abstract. In the past decade, satisfiability modulo theories (SMT) 
solvers have been extended to support the theory of strings and regu- 
lar expressions. This theory has proven to be useful in a wide range of 
applications in academia and industry. To accommodate the expressive 
nature of string constraints used in those applications, string solvers use a 
multi-layered architecture where extended operators are reduced to a set 
of core operators. These reductions, however, are often costly to reason 
about. In this work, we propose new techniques for eagerly discovering 
conflicts based on equality reasoning and lazily avoiding reductions for 
certain extended functions based on lightweight reasoning. We present a 
strategy for integrating and scheduling these techniques in a CDCL(T)- 
based theory solver for strings and regular expressions. We implement 
the techniques and the strategy in CvcC5, a state-of-the-art SMT solver, 
and show that they lead to a significant performance improvement. 


1 Introduction 


Most software processes strings and, as a result, modern programming lan- 
guages integrate rich functionality to represent and manipulate strings. The 
semantics of string-manipulating functions are often complex, which makes 
reasoning about them challenging. In recent years, researchers have proposed 
various approaches to tackle this challenge with dedicated solvers for string 
constraints [3,5,11,19,21], often as extensions of satisfiability modulo theories 
(SMT) solvers [10]. Dedicated solvers have been successfully used in a wide range 
of applications, including: finding or proving the absence of SQL injections and 
XSS vulnerabilities in web applications [30,32,35]; reasoning about access poli- 
cies in cloud infrastructure [6,7,13]; and generating database tables from SQL 
queries for unit testing [34]. 

SMT solvers are frequently used as back ends for formal tools that reason 
about software or hardware. These tools typically produce a mix of easy and hard 
proof obligations that must be discharged by the solver. For many applications, 
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it is crucial that the SMT solver responds quickly, and modern solvers are finely 
tuned to deliver the required performance. String solvers often stratify reason- 
ing about constraints by combining different reasoning techniques rather than 
relying on a single, monolithic procedure. Specifically, it is common for a string 
solver to have a core procedure that processes only a basic language of string 
constraints with a minimal set of string operators. Extended constraints, contain- 
ing additional operators, are supported by applying transformations that reduce 
them to combinations of basic constraints. Optimizations to this design have 
been explored in previous work, e.g., by simplifying extended string constraints 
based on the current context (i.e., the current set of asserted constraints) [29]. 
However, existing techniques still sometimes fall short for industrial applications, 
which continue to require richer languages of constraints while expecting the 
underlying solvers to remain efficient. To meet these needs, string solvers must 
have an even greater understanding of extended constraints and be equipped 
with fast procedures that leverage this knowledge. 

In this work, we focus on CDCL(T)-based SMT solvers [26], where solving 
is done through the cooperation of a SAT solver and one or more theory solvers. 
The SAT solver is responsible for finding truth assignments M that satisfy the 
Boolean abstraction of the input formula, and the theory solvers are responsible 
for returning conflict clauses (disjunctions of literals that are valid in the theory 
T but are falsified by M) and, optionally, lemmas (selected clauses that are valid 
in T). The conflict clauses and lemmas from theory solvers are then added to 
the original input formula, and the process of finding a satisfying assignment M 
is repeated until no conflicts are detected, indicating that the input formula is 
satisfiable in T, or an unrecoverable conflict is derived, indicating that the input 
is unsatisfiable in T. Theory reasoning done while the SAT solver is constructing 
the assignment M is characterized as eager. Theory reasoning done after a full 
assignment has been computed is called lazy. 

Inspired by real-world benchmarks, we propose new techniques for string 
solvers that make them more eager, and hence faster, in their discovery of con- 
flicts and lazier in reducing constraints that are hard to handle such as, for 
instance, negated regular expression membership constraints. For the former, 
we extend the congruence closure [24] module at the heart of the string solver 
to perform selected theory-specific forms of reasoning including eager evalua- 
tion, reasoning based on inferred prefixes and suffixes, and (integer) arithmetic 
approximations (Sect.3). For the latter, we introduce several new techniques for 
avoiding reductions involving extended string operators (Sects. 4 and 5). This set 
of techniques is particularly useful for satisfiable benchmarks, where it is pos- 
sible to determine that a (candidate) model indeed satisfies the input formula 
without having to fully process extended constraints. We have designed these 
techniques to be compatible with most existing solving techniques for strings. In 
Sect.6, we propose an extended strategy that describes the integration of the 
new techniques within an existing string solver. 

In summary, our contributions are as follows: 


— We describe new techniques for eagerly detecting conflicts based on an 
enriched congruence closure procedure for the theory of strings. 
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— We describe a strategy for model-based reductions, which can be used to min- 
imize the reductions considered during string solving. 

— We describe a procedure for efficiently reasoning about inclusion relationships 
for a common fragment of regular membership constraints. This procedure 
is used both for detecting conflicts and for avoiding unfoldings of regular 
expressions. 

— We evaluate an implementation of the new techniques in Cvcs [8], an open 
source state-of-the-art SMT solver, on a wide range of string benchmarks and 
show a significant improvement in overall performance. 


1.1 Related Work 


As mentioned above, string solvers typically reduce the input constraints to a 
basic form. Common basic representations include finite automata [14,17,18,31, 
33], bit-vectors [19], arrays [20], variations of word equations and length con- 
straints [12,29,32,36], and hybrid approaches that combine word equations and 
bit-vector representations [23]. Our techniques for lazier reductions are primar- 
ily targeted at reductions to word equations, but our other techniques are more 
broadly applicable and could be used with any of the other basic representations. 

In general, the theory of strings is undecidable [12], but modern solvers inte- 
grate a wide range of techniques to solve problems that appear in practice. One 
line of work has been exploring techniques that avoid reductions or make them 
more efficient. Reynolds et al. [29] describe an approach for lazily performing 
reductions after simplifying extended functions based on other constraints in the 
current context. In later work, Reynolds et al. [27] propose the use of aggressive 
rewriting to eliminate or simplify extended string constraints before performing 
reductions. In this work, we propose techniques that can be combined with that 
earlier work to perform reductions even more lazily. Reynolds et al. [28] also 
proposed a technique for improving the efficiency of reductions by introducing 
fewer fresh variables. Our approach is orthogonal to this work, because it further 
avoids reductions, but cannot avoid them entirely. 

Both Reynolds et al. [28] and Backes et al. [7] reduce a fragment of regular 
expression constraints to extended string constraints. In contrast, our approach 
avoids reductions of certain regular membership constraints. 


2 Preliminaries 


We work in many-sorted first-order logic with equality and assume the reader is 
familiar with the notions of signature, term, literal, (quantified) formula, and free 
variable (see, e.g., [16]). We consider many-sorted signatures X, each containing 
a family of logical symbols ~ for equality and interpreted as the identity relation, 
with input sort ø x ø for all sorts ø in X. A X-interpretation is a X-structure 
that additionally assigns a value to each variable. A theory is a pair T = (X,I), 
in which X is a signature and I is a class of X-interpretations, the models of 
T. A X-formula y is satisfiable (resp., unsatisfiable) in T if it is satisfied by 
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n: Int for all n e N + : Int x Int —> Int — : Int > Int >: Int x Int — Bool 
l: Str for alll € A* tee. 2 Str x +++ x Str — Str |_|: Str > Int 
substr: Str x Int x Int —> Str ctn : Str x Str — Bool 

indexof : Str x Str x Int — Int replace : Str x Str x Str > Str 

_€E_ : Str x Lan — Bool 24 Lan 

rcon: Lan x- x Lan — Lan re: Str > Lan 

inter: Lan x--- x Lan —> Lan Te Lan — Lan 

union: Lan x.. x Lan —> Lan range : Lan 


€1;,C2 


Fig. 1. Functions in signature of the theory of strings Ts. 


some (resp., no) interpretation in I. By convention and unless otherwise stated, 
we use letters x,y, z to denote variables and s,t to denote terms. 

We consider an (extended) theory Ts of strings whose signature Xs is given 
in Fig. 1. We fix a totally ordered finite alphabet A of characters. The signature 
includes the sorts Str, Lan, Int, and Bool, denoting A*, regular languages over 
A, integers, and Booleans respectively. The core signature is given on the first 
two lines. It includes the usual symbols of linear integer arithmetic, interpreted 
as expected. We will write t4 D< t2, with x € {>,<,<}, as syntactic sugar for 
the equivalent inequality between tı and t2 expressed using only >. The core 
string symbols are given on the second line, and include a constant symbol, or 
string constant, for each word of A* interpreted as that word; a variadic function 
symbol _-...-_: Str x... X Str — Str, interpreted as word concatenation; and a 
function symbol |-| : Str — Int, interpreted as the word length function. In our 
examples, we will take a A to be the set of ASCII characters and denote string 
constants by double-quote-delimited string literals (as in "abc"). 

The four function symbols in the next two lines of Fig. 1 encode operations 
on strings that often occur in applications: a substring operator, a string con- 
tainment predicate, an operation to find the position of one string in another, 
and one to replace a substring with another. We refer to these function symbols 
as extended functions. For details on the semantics of these operators, see for 
example [29]. 

The remainder of the signature covers regular expressions. It includes an 
infix binary predicate symbol - € _: Str x Lan — Bool, which denotes word 
membership in a given regular language. The remaining symbols are used to 
construct regular expressions. In particular, © denotes (the language of) all 
strings of length one; re(s) denotes the singleton language containing just the 
word denoted by s; rcon(R,,--- , Rn) denotes all strings that are a concatena- 
tion of strings denoted by the arguments; the Kleene star operator R* denotes 
all strings that are obtained as the concatenation of zero or more repetitions of 
the strings denoted by R; inter(R,,--- , Rn) denotes the intersection of the lan- 
guages denoted its arguments; and union(R,,--- , Rn) denotes the union of the 
languages denoted by its arguments. Finally, we include the class of all indexed 
regular expression symbols of the form range., c, where cı and cz are string 
constants of length one. We call this a regular expression range and interpret it 
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as the language containing all strings of length one that are between cı and c2 
(inclusive) in the ordering associated with A. 


3 Eager Equality-Based Conflicts for Strings 


We consider theory solvers for strings like those described by Liang et al. [21], 
which have at their core a congruence closure algorithm that determines whether 
a set of string constraints S is satisfiable in the empty theory (i.e., all func- 
tion symbols, including string operations, are treated as uninterpreted). In this 
section, we describe two enhancements to such congruence closure algorithms, 
which can help detect theory-inconsistencies in S. We stress that our extended 
congruence closure is computed eagerly and incrementally as the SAT solver 
assigns truth values to string equalities. This enables the enhanced congruence 
closure algorithm to detect theory inconsistencies early, when the truth assign- 
ment is still only partially specified. We elaborate on how this enables eager 
backtracking in Sect. 6. 


3.1 Enhancing Congruence Closure with Evaluation 


The string solver implements a procedure to compute the congruence closure 
C(S) over the set S of currently asserted string equalities. Let T(S) be the set of 
all terms and subterms in S. Formally, C(S) is the set of all equalities between 
terms in 7 (S) that are entailed by the empty theory: 


C(S)={sxt|s,teT(S),SEsxt} 


The output of the procedure that computes C(S) can be represented as a set of 
equivalence classes, that is, a partition of T(S) where each block of the partition 
is a maximal set of equivalent terms. For each equivalence class, we designate 
a unique term in it as the representative for that class; if the class contains at 
least one constant term, then the representative must be one of them. We will 
denote by |t] the equivalence class of a term t induced by C(S). By a slight abuse 
of notation we will use [t] also to denote the representative of that class. 

Computing the congruence closure C(S) allows the string solver to detect 
theory conflicts in the current context which occur when the context contains a 
disequality s Æ t, where [s] = [t]. It also allows the string solver to propagate to 
the SAT solver entailed equalities that occur in the input formula but have not 
been explicitly asserted yet. 

By default, congruence closure procedures effectively treat theory symbols 
as uninterpreted functions. Here, we propose a lightweight approach for inject- 
ing some theory-specific reasoning by evaluating string terms whenever possible. 


Specifically, for every term that is a function application f(t1,...,t,), where f 
is a string theory symbol, if the representatives [t,],..., [tn] are all constants, 
the enhanced congruence closure procedure adds the equality f(ti,...,tn) S 


F(fti],---; [tn])l to C(S), where f([ti],..-,[tn])| is the constant resulting from 


210 A. Notzli et al. 


the evaluation of f([t1],...,[tn]). Adding these equalities improves the ability of 
the congruence closure layer to detect more theory conflicts and propagations, 
as illustrated in the following example. 


Example 1. Consider the constraints {y ~ "b", z ~ replace(x, y, "da"), £ X 2,0 X 
"abc"}, where the term replace(x, y, "d") denotes the result of replacing the first 
occurrence of y in x by "d" if one exists. The congruence closure for this set 
of constraints determines the following equivalence classes, each with a constant 
representative: 


{"b", y}, {"d"}, {"abc", x, z, replace(z, y, "d")} $ 


This means that the term replace(z,y,"d") is equivalent to the con- 
crete term replace("abc","b","d"). Evaluating the latter results in the con- 
stant "adc". Hence, the congruence closure procedure will add the equality 
replace(x, y, "d") ~ "adc" to its input set of equalities and recompute the con- 
gruence closure. This will cause the third equivalence class in the list above 
to contain the (distinct) string constants "abc" and "adc", thus resulting in a 
conflict. 


In our implementation, we must track explanations for inferred equalities for 
the purposes of reporting conflict clauses. In the above example, the equality 
replace(x, y,"d") ~ "adc" is added to the congruence with the explanation x ~ 
"abc" A y % "b", which is then used in the standard technique for constructing 
explanations for congruence-closure-based reasoning [25]. 

We remark that enhancing congruence closure with evaluation is not specific 
to the theory of strings, and can be leveraged by other theory solvers based on 
congruence closure. Further exploration of this technique and its impact on other 
theories is left as future work. 


3.2 Tracking Properties of Equivalence Classes 


In addition to the use of evaluation, we enhance our congruence closure procedure 
with further information that can be used to discover conflicts eagerly based on 
string-specific reasoning. We describe two examples of this mechanism below. 

First, we maintain a mapping Z from integer equivalence classes e to intervals 
of the form [¢, u], indicating concrete lower and upper bounds on the value that 
the terms in e can have. Open intervals are achieved by letting £ and u be —oo 
and œ respectively. The interval can be inferred using string-specific reasoning 
over the terms in e. 

Second, we maintain a mapping S from string equivalence classes e to a pair 
of string constants (lı, l2) denoting the maximal known prefix lı and suffix l2 
of the value that the terms in e can have. For example, if e contains the term 
"abc" -x then lı for e is, at least, "abc". When no prefix is known, lı is the 
empty string. The suffix l2 is handled similarly. 

Figure2 shows how the maps Z and S are updated when new equiva- 
lence classes are created (newEqc) and when equivalence classes are merged 
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newEqc(t) 
[n,n] ift=n 
t:Int Z [t]:= 4 [sus] if t = |s] 
[-%0,%0] otherwise 
ice. a= e i t is a constant 
(l,l2) ift reduces to lı - t’ -l2 with lı, l2 constants 


mergeEqc(|tı], [t2]) : 
if (t1,t2) = (T,x € R) where R = rcon(re(I,), R’, re(l2)) then 
tı, t2 : Bool mergeEntry(Z [x], [€)2), ujri]) 
mergeEntry(S [x], (l, l2)) 


tı, t2 : Int mergeEntry(Z [ti], Z [t2]) 


t1,t2 : Str mergeEntry(S [t1], S [t2]) 


mergeEntry( E1, E2) : 
if £ £ then CONFLICT 
En, Ea = (41, u1], [€2, ua] Í 1 > U2 Or t2 > U1 = 
else Ey := [max(£1, £2), min(u1, u2)] 


if pre Or S1 Asuf S then CONFLICT 
Ey, E2 = (pi, 81), (p2, s2) PET ian i olka 
else Ey := (maxj_|(pi,p2),max|_|(S1, 82)) 


Fig. 2. Methods for tracking intervals, prefixes, and suffixes for equivalence classes. 


(mergeEqc), the two basic methods that are used when computing congruence clo- 
sures. For the second method, a helper method (mergeEntry) is used to combine 
the contents of the entries in two maps. We assume without loss of generality 
that when mergeEqc is called on equivalence classes ([t1], [t2]), [t1] becomes the 
new representative for the merged class. 

We now look at these methods in more detail. When a new equivalence class 
for term t is created, we look at the type of t. If t has integer type, there are 
three cases. If ¢ is a numeral n, it is mapped to the interval [n,n]. If t is a length 
term of the form |s|, then we compute an interval [4).),u)5)] where 4s) (resp., 
Ujs|) is a sound under-approximation (resp., over-approximation) of the length 
of s. We use the procedure described by Reynolds et al. [27] to compute these 
approximations. We use it because it is available, well-tested, and designed to be 
fast, but any sound approximation could be used. Otherwise, t is mapped to the 
open interval [—o0, 00]. If t has string type, we consider two cases. If t is a string 
constant, its prefix and suffix are both set to t. If t can be normalized using a 
simple set of rewrite rules to a concatenation term of the form l4 - t’ - la, where 
lı and lz are string constants of maximal length and t’ is a non-constant term, 
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then t is mapped to the pair (l, l2). Note that the notation lı - t’ - l2 is meant to 
include the case where either lı or lz (or both) is the empty string.! 

When two equivalence classes [tı] and [t2] are merged, first, if [tı] is T and 
[t2] is a regular expression membership predicate x € R, then we may infer 
information about x, because x € R is now known to be true in the current 
context. We compute upper and lower bounds [4r]; uj] on the length of all 
strings that occur in R. We use fast approximate techniques for computing these 
bounds (e.g., sum the length of constant components of concatenations to infer 
lower bounds). Note that these techniques are context-independent and are solely 
based on the structure of R. We update the entry Z [x] based on this information. 
Similarly, we update the entry S [x] with information about the constant prefix 
and suffix of the regular expression R. On the other hand, when [tı] and [tg] are 
integer or string equivalence classes, we merge the entries for the appropriate 
mapping. We stress that the entry for [tı] is updated with the information from 
the entry for [t2] and not vice versa. This is because [t1] is the new representative 
of the merged equivalence class, and further merges may refer to it, while [t2] is 
subsequently unused. 

When merging entries, we may determine that the constraints represented 
by the two entries are inconsistent, in which case we have found a conflict. For 
example, when merging integer equivalence classes, if the lower bound for one 
equivalence class is greater than the upper bound for the other, we raise a conflict. 
For string equivalence classes, a conflict is raised if the prefixes for the two 
equivalence classes are incompatible (i.e., neither is a prefix of the other) and 
similarly for suffixes. We write pı #pre P2 (resp., $1 suf $2) to denote that pı 
is not a prefix of pə or vice versa (resp., sı is not a suffix of s2 or vice versa), 
and max, _; to denote the function returning the string constant having maximum 
length. If no conflict is raised, then the new entry E: is updated to contain the 
merged information: for integers, we take the maximal lower bound and minimal 
upper bound; and for strings, we take the prefix or suffix of maximal length. 

In the context of CDCL(T), when the procedure raises a conflict, it is required 
to return a conflict clause, which in turn will cause the solver to backtrack. To 
make it possible to compute conflict clauses in the methods described above, 
each component of the entries for an equivalence class e in the two maps Z 
and S is additionally annotated with an explanation pair (t,y), where t is a 
term in e and ¢ entails that t has the property represented by the component. 
This is maintained independently for each lower bound, upper bound, prefix 
and suffix. In most cases, this pair is of the form (t, T), where t is the source 
of the annotation. When inferring annotations from an asserted membership 
constraint z € R during mergeEqc above, their explanations are the pair (x, x € 
R). Explanations are updated when entries FE, and E are merged, where, e.g., 
the explanation for the lower bound is taken from E when b2 > 4. When 


1 It is possible to produce tighter prefixes and suffixes recursively—for instance for 
terms tı - t’- t2 where the equivalence class of tı (resp., t2) is assigned a constant 
prefix (resp., suffix). However, in our experiments, this did not turn out to be worth 
the extra effort. 
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two entries are in conflict, the explanations are used to generate the conflict. 
For example, assuming two entries have explanations (tı, 1) and (t2,y2), we 
send the conflict clause a(t; ~ t2 A p1 A p2). The equality tı ~ tz may be 
further expanded using standard methods for explanations during congruence 
closure [25]. 


Example 2. Consider the constraints {x € rcon(re("a"), &*, re("b")), z & "bed" - 
w,x ~ z}. The state of the map S after processing each assertion is as follows: 


# Assertion S Conflict? 

1 zre rcon(re("a"), x, re("b")) [x] b> ("a", "b") 

2 zæ "bed" -w Sı U [z] > ("bca", €) 

3 raz S2 S2([x]), S2([z])) 


When the first constraint x € rcon(re("a"), £*, re("b")) is asserted, we con- 
struct the (Boolean) equivalence class for this constraint and merge it with [T]. 
Based on the mergeEqc method, we infer that the prefix and suffix for the string 
equivalence class [zx] are "a" and "b" respectively, which are added to S to obtain 
Sı When the second constraint is asserted, we infer the prefix "bcd" for |z] and 
add it to Sı to get S2; no suffix is inferred since we do not know the value of w. 
When the third constraint is asserted, the equivalence classes [x] and [z] merge. 
Since we have inferred that "a" is a prefix of [xz] and "bcd" is a prefix of [z], we 
have a conflict, as these two strings do not have a common prefix. Our procedure 
will thus report a conflict containing the three constraints. 


Example 3. Consider the constraints {|s| % 0, |"abc" - w| #0," +s,” = "abc". 
w}, where s is the term substr(y, 0,2), which takes the substring of y at position 
0 of length (at most) 2. The state of the map Z after processing each assertion 
is as follows: 


# Assertion Z Conflict? 

1 [s| #0 [0] — [0,0], [ls|] — [0, 2] 

2 |"abc"-w| %0 ZU [|"abc"- wl] > [3,0] 

3 TZS Zə 

4 za "abc":-w Z3 Z([ls|), Z({["abe" + w]]) 


When the first constraint |s| Æ 0 is asserted, we construct the equivalence 
classes [0] and [|s|]. The former trivially has bounds [0,0]. For the latter, we 
use the methods from [27] to infer lower and upper bounds for |s|. Note that 
every string has a lower length bound of 0. The upper bound for the length of 
substr(y, 0,2) can easily be inferred to be 2. Similarly, when |"abc"- w| æ% 0 is 
asserted, the equivalence class [|"abc" - w|] is created, whose length has a lower 
bound of 3 and no upper bound. After the latter two constraints are asserted, 
note that s becomes equal to "abc" - w by transitivity, and hence |s| is equal to 
|"abc" -w| by congruence. When these two equivalence classes merge, we obtain 
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a conflict from their respective entries in Z, since the former has an upper bound 
of 2 and the latter has a lower bound of 3. Thus, our procedure returns the latter 
two constraints as a conflict. 


4 Model-Based Reductions for Strings 


The bottleneck for string solving often lies in reasoning about the reductions of 
extended string functions. Context-dependent simplification can greatly improve 
the scalability of string solvers for extended string constraints [29]. At a high 
level, this approach attempts to simplify extended terms based on information 
that holds in the current context, which can preempt the need for potentially 
expensive reasoning. In this work, we extend this strategy by additionally rea- 
soning about candidate models. 

First, we briefly review how extended string terms are reduced to more basic 
constructs. A reduction formula for term t is a formula y ^ t ~ k, where k is a 
fresh variable and y is a formula over terms k, tı,...,tn that characterizes the 
meaning of t in the sense that a theory interpretation satisfies y if and only if 
it satisfies t ~ k. As a result, the formula 4k. (p ^ t © k) is valid in the theory, 
and hence its Skolemized version can be given to the SAT solver as a lemma. 
This effectively reduces the satisfiability of constraints of the form c[t] to the 
satisfiability of c[k] A p, where t has been replaced by k. 


Example 4. Let t be the regular expression membership constraint x € re("a")*. 


The formula (k ~ (x sev xe re("a") v w)) At = k where yw is 


ky kokz. LX kı . ko i kg A ky € re("a") IN ko € re("a")* A k3 = re("a") 
is a reduction for t. 


Reductions like the one above can be expensive to reason about, since they may 
introduce fresh (possibly universally) quantified variables. Context-dependent 
simplifications can avoid these reductions in some cases. 

Given a string term t of the form f(tı,...,tn), where f is an extended 
function, a context-dependent simplification is a formula of the form (ti ~ 
S1 ^... A tn ® Sn) = t ~ l where lis the constant value obtained by evalu- 
ating or rewriting f(s1,..., Sn). Whenever possible, we use context-dependent 
simplifications for extended string terms, where t1 © s1,...,tn © Sn are equal- 
ities that hold in the current context. The same approach can be applied to 
regular expression memberships as well, where a membership constraint of the 
form x € R can be simplified to T or L whenever z is inferred to be equal to a 
concrete string literal. 
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Example 5. Let t be as in the previous example. The formula x ~ "b" >t L 
is a context-dependent simplification for t.? 


While context-dependent simplification eliminates some reductions, in this 
paper we propose making certain reductions even lazier by taking into account 
candidate models. If a candidate model can be built that already satisfies a 
constraint with extended terms, it is not necessary to reduce it. 

To elaborate, existing procedures for strings [21] are able to construct candi- 
date models M (or, more precisely, interpretations) for satisfiable sets of string 
constraints before reductions are considered by treating all (sub)terms headed 
by an extended function as fresh variables, and by ignoring regular expression 
membership constraints. A strategy for model-based reduction only considers 
reductions for t if the candidate model M is inconsistent with the semantics of 
t—something that can be easily checked by evaluating t in the model and veri- 
fying that the computed value coincides with the value that M assigns to t as a 
variable. This allows us to avoid reductions for cases where a candidate model is 
correctly guessed in the presence of extended functions and regular expression 
membership constraints. A concrete instantiation of this strategy is described in 
Sect. 6. 


Example 6. Consider the constraints {x ~ y- "c",7a@ € rcon(X*, 
re("j"), X*)}. A model-based reduction strategy would first construct a candi- 
date model that satisfies the first constraint, e.g., M = {x > "abc", y > "ab"}. 
It would then check whether the membership constraint x € rcon(X*, re("j"), X*) 
evaluates to false in M. This is indeed the case, since rM = "abc", making M 
a model for the full set of constraints. Hence, the reduction for the regular mem- 
bership constraint in this example can be avoided altogether. 


5 Fast Techniques for Regular Expression Inclusion 


As mentioned in Sect. 4, regular expression memberships are handled by a lazy 
reduction, which can be seen as a single-step unfolding. While model-based reduc- 
tions can avoid some reductions, the remaining ones may still be expensive. In 
this section, we show another technique to avoid reductions, based on the obser- 
vation that most regular expressions in real programs are relatively simple. We 
focus on those of the form rcon(R1,..., Rn), where each R; corresponds to a 
fixed or arbitrary number of range or constant regular expressions. Such regular 
expressions are frequently used to match a string that is made up of multiple seg- 
ments, each with a different alphabet. For this fragment of regular expressions, 
our procedure allows us to detect conflicts before unfolding and may additionally 
tell us which regular expression memberships are entailed by others, and hence 
can be discarded. 

We use the notation £(R,) C L(R2) to denote that Rı matches a subset of the 
strings matched by Rg. The derivation rules in Fig. 3 can be used to implement a 


? We omit from the implication the trivial antecedent re("a")* ~ re("a")*. 
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E St 
MPL SLR) AREARE 
All Refl 
(R) = L(5*) (R) S L(R) 
L(R1) E L(R2) L(R2) S L(R3) L£(Ri) S L(R2) 
Trans CongStar F = 
L£(R1) S L(R3) L(RT) S L(Rz) 
For each x € L(R), |z| = 1 Cı > C3 C2 <4 
Char Range 
L(R) S L(2) L(range,, .,) E L(range,, c4) 


L(Ri) © £(R3) L(R2) © L(Ra) 


Ç t 
oe L(rcon(Ri, R2)) E L(rcon(R3, R4)) 


Fig. 3. Rules for deriving L(Rı) C L(R2). 


fast, incomplete procedure to prove £(R1) C L(R2). The procedure applies the 
rules bottom-up to build a derivation tree with £(R,) C £(R2) as the root. The 
statement is proven if a derivation tree is found where all leaves have no precon- 
ditions. For any given pair of regular expressions, the number of possible rule 
applications is finite, and whether a rule applies can be checked in polynomial 
time w.r.t. the number of elements in the regular expression concatenations. 

The first four rules in Fig.3 have no preconditions. A regular expression R 
matches zero or more occurrences of R and the rules Emp and Star use that 
fact to conclude that (the language generated by) R* includes the empty string, 
corresponding to zero occurrences of R, and (the language generated by) R, cor- 
responding to a single occurrence of R. The third rule, All, concludes that every R 
is included in X*, which matches all strings. Finally, Refl captures the reflexivity 
of the regular expression inclusion relation. Regular expression inclusion is tran- 
sitive, which is captured by Trans. Additionally, CongStar captures that applying 
the Kleene star to regular expressions preserves the inclusion relation. The next 
two rules are related to regular expressions that match single characters: Char 
concludes that if a regular expression matches only single characters then it is 
included in X, which matches all characters; Range compares the bounds of two 
ranges to determine if one is included in the other. Finally, the rule Concat splits 
regular expression concatenations into two parts and ensures that the parts on 
the right-hand side include the parts on the left-hand side. Note that the splits 
themselves can be concatenations, so there is a choice regarding how those con- 
catenations are split into two parts. In the context of this rule, we treat regular 
expressions that match a single word as a concatenation of the individual letters 
of that word. For example, for £("abc") C L(rcon("ab", X)), we could choose 
the subgoal £("c") C L(X) after applying Concat. 
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Given a regular expression inclusion £(R1) C L(R2), the above procedure 
may potentially derive conflicts or propagate regular membership constraints, 
avoiding reducing them. A conflict can be derived from membership constraints 
x € Rı and ~y € Rə if x ~ y is entailed by the current context. Similarly, from 
x x y being entailed and y € Rı being asserted, we can propagate the regular 
membership constraint x € Rp; and from x ~ y and ny € Rə we can propagate 
TZ E Ry. 


Example 7. Consider the following theory literals: 
x E rcon((rangeég 9)“, X*, "b", X*) (1) 
mx € rcon((rangeg 9)“, X*) (2) 
We can apply Concat, Refl, and All to the two regular expressions: 


Refl 


L((rangep 9)” ) E L((rangeg g)*) All -(rcon(S*, re("b"), X*)) C L(5*) 


C t 
oer L(rcon((rangeg 9), 5”, re("b"), X*)) C L(rcon((rangey 9)”, 5*)) 


This allows us to derive a conflict, since the regular expression of the negative 
membership constraint in Eq. (2) includes the regular expression in the positive 
regular membership constraint in Eq. (1). 


6 An Extended Strategy for Strings in CDCL(T) 


In this section, we summarize our overall strategy for solving string constraints 
that leverages the aforementioned techniques. This strategy integrates the tech- 
niques presented in this paper with existing techniques used in modern string 
solvers. In general, the techniques presented in this work are applicable to a 
wide range of solvers. The techniques from Sect.3 can be combined with any 
string solver that computes the congruence closure of the constraints. Model- 
based reductions are applicable to string solvers that can compute models and 
have the infrastructure to selectively refine/ignore certain constraints. Regular 
expression inclusion can be used in all string solvers. 

Recall that in a CDCL(T)-based SMT solver, the theory solvers produce 
conflict clauses or lemmas based on the content of the current context, the truth 
assignment incrementally constructed by the SAT solver. In the following, we 
split the discussion between checks that are performed on partial assignments 
and checks that are performed on full assignments from the SAT solver. 


Checking Partial Assignments. Recall that M is the assignment to literals chosen 
by the SAT solver. In our implementation, whenever the SAT solver adds a literal 
(~)t ~ s to M, that literal is immediately added to the congruence closure data 
structure of the appropriate theory. This means that in a typical configuration, 


3 In our implementation, each theory locally maintains its own congruence closure 
data structure. 
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checkFull(S) 
1 Let F = getRefineExt(S); if F = Ø return SAT else return F 


getRefineExt(S) 
1 C,E, Em := Ø 
2 for all ext. terms and r.e. memberships t € T(S) where t = f(ti,...,tn) do 
3 if Js1,... Sn S-t. S H ti X81 A... Atn X Sn and f(s1,...,5n)) = c then 
4 if S t ~ c then add t to C 
5 else if t is x e R then 

6 Let b be the Boolean value such that S — t ~ b. 

7 

8 

9 


if b= LandSE gza zgr a (x'e R’) and L(R') € L(R) then 
return CONFLICT, {(x # x' v xe Rv =r e€ R’)} 
else if SE z x g'a (x'e R') ~b and 
((L(R’) S L(R) and b = T) or (L(R) = L(R’) and b = L)) then 


10 continue 

11 end if 

12 Add t to Em if b is false, and E otherwise 
13 else 

14 Add t to E 

15 end if 

16 end for 


17 if C is non-empty then return {cd_simplify(S,t) | t € C} 

18 F := getRefine(S) 

19 if F is non-empty then return F 

20 if E is non-empty then return {reduce(t) | t € E} 

21 Construct model M for a(S) and return {reduce(t) | t € Em, S Kt» t™} 


Fig. 4. Strings theory solver using context-dependent simplification, regular expression 
inclusion, and model-based reductions. 


conflicts that are based purely on equality reasoning may be raised the moment 
M becomes unsatisfiable in the theory. This behavior makes the SMT solver 
faster, as it may backtrack without having to generate any further extension to 
M. The techniques in Sects. 3.1 and 3.2 increase the likelihood that such conflicts 
may be discovered eagerly based on evaluation, arithmetic approximations, and 
tracking prefixes and suffixes for string terms. Given that those techniques are 
executed every time the SAT solver assigns a value, it is imperative that they 
are inexpensive. 


Checking Full Assignments. When a full assignment is generated by the SAT 
solver, each theory solver is called upon to do a full effort consistency check on 
the assignment M. We describe the strategy used for strings that incorporates 
reasoning about context-dependent simplification, regular expression inclusion, 
and model-based reductions. 

Our approach checkFull is sketched in Fig. 4, which summarizes the behavior 
of our (extended) theory solver for strings to be used in the CDCL(T) loop. 
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The method takes as input a set of string constraints S, which is the subset of 
the literals assigned by the SAT solver that belongs to the theory of strings. We 
assume the method is called when S is satisfiable in the empty theory, and is such 
that the techniques from Sect. 3 did not raise a conflict. It calls the subprocedure 
getRefineExt, which returns a set of formulas F. This set may contain a conflict 
clause, that is, a disjunction of literals that are false in S. If F is non-empty, 
these formulas are returned to the SAT solver. Otherwise, if F is empty, then 
the method returns SAT, indicating that S is satisfiable. 

In the subprocedure getRefineExt, we first classify the extended terms t from 
S by adding them to (at most) one of three sets: the set of terms C to simplify 
based on the context, the set of terms E to reduce, and the set of terms Em to 
reduce if necessary based on a candidate model. This is done as follows. We first 
check if term t can be simplified based on the context, that is, if we can infer 
that its arguments are equivalent to terms s1,...,5, such that f(s1,...,,) can 
be simplified to a constant c. In this case, t is added to C if it is not already 
entailed in S to be equal to c. Otherwise, if t is a regular expression membership 
x € R, then we check whether t is otherwise directly in conflict with another 
membership or can be discarded. The former holds when it is the case that 
x € R holds with negative polarity, there exists a term x’ that is entailed to 
be equal to x such that 2’ € R’ is entailed to hold with positive polarity, and 
our regular expression inclusion test can prove that the language of R includes 
that of R’. In this case, we know that we are in conflict since x cannot be both 
in R’ and not in R, and a conflict clause is returned. Otherwise, we may avoid 
reducing t if it is entailed by another membership 2’ € R’ with the same polarity 
again where x’ is entailed equal to x. This may occur if the language of R 
includes R’ and the polarity of both memberships are positive, or if R’ includes 
R and the polarity of both memberships are negative. If none of these cases 
hold, then we add ¢ to E if it is a positive membership, and Em otherwise. Here, 
the intuition is that negative memberships are both more expensive to reason 
about via reductions, and more likely to be satisfied by candidate models. All 
other extended terms are added to E, marking them to be reduced. Although 
not shown in the figure, if t is an application of string containment, then it is 
handled analogously to regular expression membership, noting that ctn(x, y) is 
equivalent to x € rcon(X*, re(y), X*). 

Assuming the above classification, we run four steps in decreasing order of 
priority. First, if C is non-empty, we add the simplification formula for each 
t e C, where we write cd_simplify(S,t) to denote the formula corresponding to 
the context-dependent simplification of t in S. Second, we run the core theory 
solver for strings, denoted by method getRefine, which we assume runs the rule- 
based procedure from [21]. For our purposes, we assume this method returns a 
(possibly empty) set of refinement lemmas or conflict clauses, which we denote F 
and return this set if it is non-empty. Otherwise, if our set of terms to reduce 
is non-empty, we return the set of reduction formulas reduce(t) for all t € E. 
If none of these cases generated lemmas, then we construct a candidate model 
M for the abstraction of S, denoted a(S), which denotes a formula where all 
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Table 1. Number of solved problems per benchmark set for different configurations. 
Best results are in bold. All benchmarks ran with a timeout of 1200 s. 


Set cvc5 cvcd-v cvc5-e cvc5-m cvcdS-r cvc5-vemr z3 
Industry (62) 58 57 58 56 57 55 31 
Slog (17) 17 17 17 17 17 17 10 
QGen (159) 158 158 159 159 158 153 159 
Norn (175) 85 84 81 98 85 88 4T 
Kepler (436) 89 89 89 89 89 89 85 
Kaluza (225) 225 225 225 225 225 225 65 
PyEx (6,948) 6,927 6,902 6,931 6,767 6,926 6,716 5,949 
Slent (105) 93 82 69 93 93 41 39 
Leetcode (13) 13 13 13 13 13 13 11 
FullStrInt (2,718) 2,630 2,608 2,630 2,629 2,628 2,611 2,461 
SmallRw (73) 52 52 52 51 52 51 6 
Total (10,931) 10,347 10,287 10,324 10,197 10,343 10,059 8,863 


extended terms in S are replaced by fresh variables. Then, for each t € Em we 
check whether the constraint for t holds in the candidate model M. In particular, 
this is the case if S E t ~ tM. We return reduce(t) only for terms t for which this 
does not hold. 

Notice that the model M serves only as a way of filtering our reductions. We 
do not apply context-dependent simplification based on the model, e.g., adding 
the lemma (tı = tM a... atn = tM) => ta f(tM,..., tM), as this would 
introduce an unbounded number of new literals t; ~ tM to the search. 


7 Evaluation 


We have implemented the strategy from Sect. 6 by extending cvc5, a CDCL(T)- 
based state-of-the-art SMT solver that implements context-dependent simplifica- 
tions [29], aggressive rewriting [27], and efficient reductions [28]. To evaluate our 
extension, we measure its performance on the 69,907 SMT-LIB benchmarks [9] 
that include the theory of strings* and on a set of 74 benchmarks which we have 
obtained from an industrial partner but are not allowed to make public. In this 
section, we present and discuss the results of that evaluation. 

We test the performance impact of the four techniques presented in this paper: 
enhanced congruence closure (v), eager conflicts based on properties of equiva- 
lence classes (e), model-based reductions (m), and regular expression inclusion 
(r). We compare a configuration with all techniques enabled (eve5) with config- 
urations that disable individual techniques (prefixed with cvc5-*). To measure 
the combined impact, we additionally include a configuration that disables all 


4 We excluded one benchmark with a quantifier in the quantifier-free logic QF_SLIA. 
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Fig. 5. Cactus plot of the number of solved benchmarks. All benchmarks ran with a 
timeout of 1200 s. 


techniques presented in this paper, but otherwise uses all of Cvc5’s advanced 
techniques for strings (cvc5-vmre). Finally, as an additional reference point, we 
compare with another state-of-the-art solver, Z3 Version 4.8.14 [15]. In our expe- 
rience, Z3 is the most stable, feature-complete competitor to CVC5’s string solver. 
We omit a comparison with Z3STR4 [23] because it returned wrong answers at 
SMT-COMP 2021 [2] and there has not been a new release. Similarly, we omit a 
comparison with Z3-TRAU 1.1 [1] (the successor of TRAU [4]), because we found 
it to be unsound in earlier work [28]. Finally, OSTRICH 1.1 [14] requires inputs 
to be in the straight-line fragment [22], which is not the case for some of the 
benchmarks. 

We ran all experiments on a cluster equipped with Intel Xeon E5-2620 v4 
CPUs. We allocated one physical CPU core and 8GB of RAM for each solver- 
benchmark pair and used a time limit of 1200 s, which is the same time limit 
used at SMT-COMP 2021. In the following presentation of the results, we omit 
the 59,050 benchmarks that are solved in less than a second by all solvers to 
emphasize non-trivial benchmarks. Table 1 lists the number of solved benchmarks 
for each benchmark family and configuration. Figure5 shows a cactus plot of 
the number of solved instances for each configuration. The scatter plots in Fig. 6 
compare the performance of cvc5 with the other Cvc5 configurations and z3. 
Each scatter plot shows the solving times of the two solvers for each benchmark 
and differentiates between satisfiable and unsatisfiable inputs. 

Overall, all configurations of CVC5 significantly outperform Z3, which is 
reflected in Fig.5. The scatter plot Fig. 6f shows that while Cvc5 outperforms 
Z3, they also complement each other to a certain extent, which is not surpris- 
ing given the complexity of the problem and the fact that the two code bases 


222 A. Notzli et al. 


cvc5 
cvc5 
cvc5 


cvc5 

cvc5 
= 
O 
A 

cvc5 


10-2 10° 10! 10? 10 
cvc5-vemr 


(d) (e) (£) 


Fig. 6. Scatter plots that compare the performance of cvc5 with the other configura- 
tions. The scatter plots differentiate between satisfiable and unsatisfiable benchmarks. 


differ significantly. Overall, Z3 solves 270 benchmarks that cvc5-vmre does not 
solve and 171 benchmarks that cvc5 does not solve. Conversely, cvc5 solves 
1645 benchmarks that z3 does not solve. Between cvc5 and cvc5-vmre, cvc5 
uniquely solves 309 benchmarks and cvc5-vmre 15 benchmarks. This suggests 
that our techniques help cvc5 solve some of the benchmarks that previously 
only Z3 could solve, but that they also have a significant impact on benchmarks 
that Z3 could not solve. Thus, adapting those techniques in Z3 may be beneficial. 
The PyEx benchmarks show the biggest difference in number of solved bench- 
marks across the techniques, with model-based reductions (m) solving 160 more 
benchmarks, significantly increasing the success rate for cvc5. Figure 6c indi- 
cates that primarily satisfiable benchmarks benefit from m. This is expected 
because the technique allows the solver to skip reductions if it guesses a correct 
model. Nevertheless, some unsatisfiable benchmarks are also solved noticeably 
faster due to m. This is possibly due to the technique resulting in a search that 
prioritizes reducing operators that are more likely to participate in conflicts. 
Both the enhanced congruence closure (v) and the more eager conflicts (e) 
have a relatively low impact on the number of solved benchmarks. However, 
Figs. 6a and 6b show they significantly improve solving times on several bench- 
marks. This is expected because they allow the solver to detect conflicts more 
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eagerly, but the same or similar conflicts would have been found (later on) with 
existing techniques. Since the solving procedure does not fundamentally change, 
roughly the same benchmarks should be solved when adding these techniques, 
but potentially much faster. 

Finally, the regular expression inclusion technique (r) has a low impact over- 
all, since it is restricted to a specific fragment, but Fig. 6d shows it significantly 
improves solving time for a few benchmarks. The benchmarks come from the set 
of industrial problems and from the QGen set of benchmarks. While the tech- 
nique does not always apply, we have found it to be very important for certain 
industrial problems. Moreover, the scatter plot shows that having the technique 
available has no negative effect, which allows such a specialized procedure to be 
always active in a modular solver. 


8 Conclusion 


We have presented new techniques that make conflict detection more eager and 
reductions lazier in CDCL(T)-based string solvers. Our evaluation shows that 
both classes of techniques significantly improve performance in the state-of-the- 
art SMT solver Cvc5 on SMT-LIB and industrial problems. As future work, 
we plan to generalize our eager equality-based conflict detection to leverage 
more sophisticated properties. We also plan to apply similar techniques to other 
congruence-closure-based theory solvers, such as those for the theory of finite sets 
and relations. The set of rules for proving regular expression inclusion was driven 
by empirical work on industrial benchmarks, but it could be expanded. We also 
plan to investigate further strategies for lazy reductions of other extended string 
terms that lead to bottlenecks in real-world applications. 
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Abstract. Satisfiability Modulo Linear Integer Arithmetic, SMT (LIA) 
for short, has significant applications in many domains. In this paper, we 
develop the first local search algorithm for SMT (LIA) by directly operat- 
ing on variables, breaking through the traditional framework. We propose 
a local search framework by considering the distinctions between Boolean 
and integer variables. Moreover, we design a novel operator and scoring 
functions tailored for LIA, and propose a two-level operation selection 
heuristic. Putting these together, we develop a local search SMT (LIA) 
solver called LS-LIA. Experiments are carried out to evaluate LS-LIA on 
benchmarks from SMTLIB and two benchmark sets generated from job 
shop scheduling and data race detection. The results show that LS-LIA is 
competitive and complementary with state-of-the-art SMT solvers, and 
performs particularly well on those formulae with only integer variables. 
A simple sequential portfolio with Z3 improves the state-of-the-art on 
satisfiable benchmark sets of LIA and IDL benchmarks from SMT-LIB. 
LS-LIA also solves Job Shop Scheduling benchmarks substantially faster 
than traditional complete SMT solvers. 


Keywords: SMT - Local Search - Linear Integer Arithmetic - Integer 
Difference Logic 


1 Introduction 


Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability 
of a first order logic formula with respect to certain background theories. Inspired 
by the great success of propositional satisfiability (SAT) solving, SMT attempts 
to generalize the advances of satisfiability solvers from propositional logic to 
fragments of first order logic. Typical theories supported by SMT include the 
theories of integers, real numbers, lists, arrays and bit-vectors. The field of SMT 
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has seen significant progress in the past two decades. SMT solvers have become 
important formal verification engines, with applications in various domains. 

In this paper, we focus on the theory of Linear Integer Arithmetic (LIA), 
consisting of arithmetic atomic formulae in the form of }°, aja; + c >< 0, where 
me {=, <}, c and a;’s are rational numbers and 2;’s are integer variables. More- 
over, we are also interested in a popular fragment of LIA, namely Integer Dif- 
ference Logic (IDL), consisting of arithmetic atomic formulae to constrain the 
difference between pairs of integer variables in the form of a— b < k, where 
a,b are integer variables and k is integer constant. The SMT problem with 
the background theory of LIA and IDL, is to determine the satisfiability of the 
Boolean combination of respective arithmetic atomic formulae and propositional 
variables, and referred to as SMT (LIA) and SMT (IDL). 

SMT (LIA) is important in software verification and automated reasoning, 
since most programs use integer variables and perform arithmetic operation on 
them [35]. Specifically, SMT (LIA) has various applications in automated termi- 
nation analysis [16], sequential equivalence checking [34], and state reachability 
checking under weak memory models [24]. SMT (IDL) has found applications 
in problems with timing-related constraints [17], such as hardware models with 
ordered data structures [23], stable models computing [30], and job shop schedul- 
ing [40]. 

Much effort has been devoted to solving SMT (LIA) and SMT (IDL). The 
most popular approach is the lazy approach [3,41], also known as DPLL(T) 
[38], which is a central development of SMT. Many DPLL(T) solvers have been 
developed for SMT (LIA) [7,19] and SMT (IDL) [31,37,47]. In this approach, 
the formula is abstracted into a Boolean formula by replacing arithmetic atomic 
formulae with fresh Boolean variables. A SAT solver is used to reason about the 
Boolean structure and solve the Boolean formula, while a theory solver receives 
assignments from the SAT solver and performs decision procedure to solve the 
conjunctions of atomic subformulae, including consistency checking of the assign- 
ments and theory-based deduction. 

The effort in this approach is mainly devoted to producing more effective 
theory solvers. Simplex-based linear arithmetic solvers that can be integrated 
efficiently in the DPLL(T) framework were studied [19]. A simplex-based deci- 
sion procedure that minimizes the sum of infeasibilities of constraints was pro- 
posed [32]. A theory solver made use of layering and several heuristics to achieve 
good performance [26]. A theory solver called SPASS-IQ was designed to effi- 
ciently handle unbounded problems [6,8]. According to recent SMT Competi- 
tions,’ almost all state-of-the-art SMT (LIA) and SMT (IDL) solvers are based 
on the lazy approach, including MathSAT5 [15], CVC5 [2], Yices2 [21], Z3 [18], 
SMTInterpol [14] and SPASS-SATT [7]. 

The other approach is the eager approach, where the formula is reduced 
to an equi-satisfiable Boolean formula and then solved by a SAT solver. This 
approach works well for SMT (IDL). Typically, all intrinsic dependencies between 
integer variables are computed and encoded as Boolean constraints. Encoding to 
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Boolean formula is done either by deriving adequate ranges for formula variables 
(a.k.a. small domain encoding) [9,39,45], or by deriving all possible transitivity 
constraints (a.k.a per-constraint encoding) [44]. A hybrid method combining the 
strengths of two encoding scheme showed robust performance [43]. 

Local search is an incomplete method which plays an important role in many 
combinatorial problems [28]. Local search algorithms move from solution to solu- 
tion in the space of candidate solutions by applying local changes. It has been 
successfully applied to Boolean Satisfiability (SAT) problem [1,4,12,13,33] and 
is competitive with CDCL solvers on certain types of instances. However, very 
limited effort has been devoted to local search for SMT. The idea of integrat- 
ing local search solvers with theory solvers has been explored before, where a 
local search SAT solver WalkSAT is used to solve the Boolean skeleton of the 
SMT formula [26]. A pure local search solver [22] was proposed to solve SMT 
on the theory of bit vectors directly on the theory level, by lifting the successful 
techniques in local search SAT solvers to the SMT level. In [36], a precise prop- 
agation based local search for SMT on the theory of bit vectors is proposed, by 
introducing a notion of essential inputs to lift the concept of controlling inputs 
from the bit-level to the word-level. We are not aware of any work on local search 
solvers for SMT on integer arithmetic theories. 

This work, for the first time, develops a local search solver for SMT (LIA), 
which directly operates on both Boolean and integer variables, breaking through 
the traditional approaches. We propose a local search framework, which switches 
between two modes, namely Boolean mode and Integer mode. Each mode con- 
sists of consecutive operations of the same type (either Boolean or integer). 
Moreover, for the Integer mode, we propose a literal-level operator named crit- 
ical move and a fine-grained scoring function named distance score which takes 
into account the distance to truth of literals and distance to satisfaction of clauses. 
A two-level heuristic is proposed to pick a critical move operation. By putting 
these together, we develop a local search solver for SMT (LIA) called LS-LIA. 

Experiments are conducted to evaluate LS-LIA on 4 benchmarks, includ- 
ing QF_LIA and QF_IDL benchmarks from SMTLIB (excluding unsatisfiable 
instances),” instances encoded from job shop scheduling (JSP) and instances 
generated by data race detection system on a real world benchmark [29]. We 
compare our solver with state of the art SMT solvers including Z3, CVC5, 
Yices and MathSAT5. Experimental results show that LS-LIA is competitive 
and complementary with state-of-the-art SMT solvers. Particularly, LS-LIA is 
good at solving instances without Boolean variables, noting that a large portion 
in SMTLIB (81.1% for LIA and 44.1% for IDL) belongs to this type. A simple 
sequential portfolio with Z3 improves the state-of-the-art on satisfiable QF_LIA 
and QF_IDL benchmarks from SMT-LIB. LS-LIA also solves Job Shop Schedul- 
ing benchmarks substantially faster than traditional complete SMT solvers. 


? http://www.smt-lib.org/. 


230 S. Cai et al. 


2 Preliminary 


Definition 1. Linear Integer Arithmetic (LIA): Let P = {p1,po,...Pn} be a set 
of propositional (Boolean) variables and X = {x1,X2...Lm} be a set of integer- 
valued variables. The linear integer arithmetic formulae are inductively defined. 


1) pE P is a propositional atomic LIA formula. 

2) SO, aia; Ik is an arithmetic atomic LIA formulae, where xE {=, <}, xi € 
X, k, and a; are constant coefficients (rationals or integers). 

3) Ify and yp are LIA formulae, so are y V p, bA yp and my. 


ri 


In the above definition, we note that with ‘<’ and ‘=’, we other inequalities 
can also be expressed. Specifically, we can express X`; aix; < k as XO; aizi < 
k— 1, D Qili > k as =(X; (ax) < k), D; a,x; = k as X; (~az) < (—k) 

A popular fragment of linear integer arithmetic is call Integer Difference Logic 
(IDL), where the arithmetic atomic formulae are in the form of x;— x£; X k, where 
XKE {=, <}, xi, £j E€ X and k is constant. 


Example 1. A typical SMT (LIA) formula F: (pı V (@1 +222 < 2))A (p2 V (3£3 + 
4z4+5z5 = 2)V(—z2— z3 < 3)), where X = {x1, £2, £3, £4, £5} and P = {p1, po} 
are the sets of integer-valued and propositional variables respectively. 


A literal is an atomic formula, or the negation of an atomic formula. A clause 
is the disjunction of a set of literals, and a formula in conjunctive normal form 
(CNF) is the conjunction of a set of clauses. For an SMT (LIA) formula F, an 
assignment a is a mapping X — Z and P — { false, true}, and a(x) denotes the 
value of a variable x under a. A complete assignment is a mapping which assigns 
to each variable a value. A literal is a true literal if it evaluates to true under 
the given assignment, and otherwise it is a false literal. A clause is satis fied if 
it has at least one true literal, and falsified if all literals in the clause are false. 
A complete assignment is a solution to an SMT (LIA) formula if it satisfies all 
the clauses. 

When applying local search algorithms to solve a satisfiability problem, the 
search space consists of all complete assignments, each of which is a candidate 
solution. Typically, a local search algorithm starts from a complete assignment, 
and iteratively modifies the assignment by changing the value of one variable, 
to search for a satisfying assignment. 

In local search, an operator defines how to modify the candidate solution. 
When an operator is instantiated by specifying the variable to operate, we obtain 
an operation. For example, a standard operator for SAT is flip, which modifies 
the current assignment by changing the value of a Boolean variable, and flip(1) 
is an operation, where x; is a Boolean variable in the formula. 

Given a formula F, the cost of an assignment a, denoted as cost(a), is the 
number of falsified clauses under a. In dynamic local search algorithms which 
use clause weighting techniques, however, cost(a) denotes the total weight of all 
falsified clauses under an assignment a. Given a formula and an assignment a, 
an operation op is said decreasing if cost(a’) < cost(a), where a’ is the resulting 
assignment by applying op to a. 
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Algorithm 1: Local Search of Mode X 


/* X can be Integer or Boolean */ 
while non_impr_steps < L x Px do 
if a satisfies F then return a if 4 decreasing X operations then 

op := a decreasing X operation 


if fail to find decreasing X operation then 
update clause weights; 
op := an X operation from a random falsified clause containing X 
literals; 


QUA ON RH 


7 perform op to modify a; 


3 A Local Search Framework for SMT (LIA) 


In this section, we introduce a local search framework for SMT (LIA), which 
switches between integer operations and Boolean operations. 


Initialization Integer Mode 


Fig. 1. An SMT Local Search Framework 


non_improve_steps>LxP, 
_ SSCS Boolean Mode 


non_improve_steps>LxP, 


In the beginning, the algorithm generates a complete assignment a. Then, 
it iteratively modifies a by performing operations on variables. The algorithm 
terminates once a becomes a solution to the formula, and outputs “SATISFI- 
ABLE” as well as the solution. If the algorithm fails to find a solution within 
the pre-set time limit, it is cut off and outputs “UNKNOWN”. 

As depicted in Fig.1, after the initialization, the algorithm works in two 
modes, namely Integer mode and Boolean mode. In each mode X (X is Inte- 
ger or Boolean), an X operation is picked to modify a, where an X operation 
refers to an operation that works on a variable of data type X. The two modes 
switches to each other when the number of non-improving steps (denoted as 
non_improve_steps) of the current mode reaches a threshold. The threshold is 
set to L x P, for the Boolean mode and L x P; for the Integer mode, where 
P, and P; denote the proportion of Boolean and integer literals to all literals 
in falsified clauses, and L is a parameter. Note that non_improve_steps is set 
to 0 whenever entering a mode, and then in each following step, it increases by 
one if cost(a@) > cost* in the current step, where cost* is the cost of the best 
assignment visited before. 
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The intuitions of the two mode framework are as follows. When all variables 
of one type (either Boolean or integer) are fixed, the formula is reduced to a 
subformula that contains only variables of the other type. Thus, by consecutively 
performing X (X can be Boolean or Integer) operations in a certain period, the 
algorithm focuses on dealing with a subformula consisting of only X variables. 
The switching threshold is set as L x Px, as we consider that when X literals 
accounts for larger proportion of all literals in falsified clauses, more steps should 
be allocated for the corresponding mode. 
Local Search in One Mode 

No matter the mode in which the algorithm works, it adopts a general pro- 
cedure as described in Algorithm 1. It prefers to pick a decreasing operation 
(according to some heuristic) if any. If the algorithm fails to find any decreasing 
operation, it updates clause weights by increasing the weights of falsified clauses, 
and then picks an X operation from a random falsified clause containing X liter- 
als. Note that we can always pick a falsified clause with X literals (line 7). This 
is because when the algorithm works in X mode, since non_impr_steps < Lx Px, 
we have Px > 0, and so there exists at least one falsified clause with X literals. 

As for clause weighting, our algorithm employs the probabilistic version of 
the PAWS scheme [13,46]. When the clause weighting scheme is activated, the 
clause weights are updated as follows. With probability 1— sp, the weight of each 
falsified clause is increased by one, and with probability sp, for each satisfied 
clause whose weight is greater than 1, the weight is decreased by one. 


4 The Critical Move Operator and a Two-Level Heuristic 


In this section, we introduce key techniques in the Integer mode. We propose a 
novel operator called critical move, and also a two-level heuristic for choosing a 
critical move in the Integer mode. 

A key and basic component of a local search algorithm is the operator. For 
handling Boolean variables, our algorithm adopts the typical local search oper- 
ator for SAT, namely flip, which modifies the value of a Boolean variable to 
the opposite of its current value (from True to False, or from False to True). 
For handling integer variables, we propose a novel operator called critical move 
which works on the literal level. 


4.1 Critical Move 


Different from the Boolean operator, an integer operator has two parameters — 
besides the variable to operate, it also needs to consider the increment (may be 
positive or negative) on the value. 

Let us first consider a simple operator, which motivates us to propose a literal- 
level operator. A simple integer operator is to modify the value of a variable a 
by a fixed increment inc, that is, a(a) := a(a) + inc. The parameter inc needs 
fine tuning. If inc is too small, it may take many iterations before making any 
falsified literal become true. If inc is too big, the algorithm may even become 
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problematic that it can never make some literals true and thus essentially unable 
to solve some formulae. 


Example 2. Given a formula F : (b— a > 3) A (b—a < 5) and the current 
assignment is a = {a = 0,b = O}. If inc = 1, it needs at least 3 operations 
to satisfy the formula. If inc = 10, then the formula cannot be satisfied using 
operations of this type, as the value of b — a would be always a multiple of 10. 


In fact, in order to avoid the case that some literals can never become true 
(when the inc is too big), the only acceptable value of inc is 1. The main reason 
accounting for such a drawback is that the above operator ignores the literal- 
level information. We propose a literal-level operator for integer variables called 
critical move, which is defined below. 


Definition 2. The critical move operator, denoted as cm(x,£), assigns an inte- 
ger variable x to the threshold value making literal £ true, where £ is a falsified 
literal containing x. Specifically, for each of the four basic forms of the falsified 
literal £, let A = X; aizi — k, an operation is described below: 


- L: X aizi < k. there exists a cm operation cm(x;,@) for each variable x: 


if the coefficient a; > 0, then cm(a;, l1) decreases a(a;) by [|2 |; if ai < 0, 


then cm(x;, l1) increases a(x) by ||2 


- L: 70200, ax; < k), that is, X; aix; > k. there exists a cm operation cm(x;, l) 
for each variable x;: if the coefficient a; > 0, then cm(xi, l1) increases a(x;) 


by | 1-A 1-A|]_ 


Qi Qi 
- L: 35, aixi = k. There exists an operation cm(zx;, £) for each variable x; with 
a; | A, which increases a(x;) by —4. 
- L: ~(X aixi = k). There exist 2 cm operations for each variable x;, to +1 


or -1 on zi. 


le if a; <0, then cm(zx;, 41) decreases a(x) by | 


Given the above definition of the critical move, an issue with this operator is 
that it may stall on equalities, when there is no such variable with a; | A in £. To 
address this issue, in this situation, we additionally employ a simple strategy— 
pick a random variable in that literal and performs +1 or —1 to decrease |4]. 


Example 3. Assume we are given two falsified literals lı : (2b — a < —3) and 
lp : (5c -d+3a = 5), and the current assignment is a = {a=0,b=0,c=0,d 
0}. Then cm(a,l1), em(b, l1), em(c, l2), and cm(d, l2) refers to assigning a to 3, 
assigning b to —2, assigning c to 1 and assigning d to —5 respectively. Note that 
there does not exist cm(a, l2), since 3 { —5. 


An important property of the cm operator is that after the execution of a 
cm operation, the corresponding literal must be true. Therefore, by picking a 
falsified literal and performing a cm operation on it, we can make the literal 
become true. 

The critical move operations are analogous to update operations in other lin- 
ear arithmetic model searching procedures. For example, Simplex for DPLL(T) 
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[20] also progresses through a sequence of candidate assignments by updating 
the assignment to a variable to satisfy its bound. The significant distinction 
of critical moves is only updating input variables and always updating by an 
integral amount, as we can see from Definition 2. 


4.2 A Two-Level Heuristic 


In this subsection, we propose a two-level heuristic for selecting a decreasing 
cm operation. We distinguish a special type of decreasing cm operations from 
others, and give a priority to such operations. 

From the viewpoint of algorithm design, there is a major difference between 
cm and flip operations. A flip operation is decreasing only if the flipping variable 
appears in at least one falsified clause. For a cm(a, £) operation to be decreasing, 
the literal does not necessarily appear in any falsified clause. This is because 
integer variables are multi-valued, and a cm(x,£) operation that modifies the 
value of x would have impact on other literals with the same variable z. 


Example 4. Given a formula F = c1 ^c = (a—b < 0Vb—e < —2)A(b—d < —1), 
suppose the current assignment is a = {a = 0,b = 0,d = 0,e = 0}, then cı is 
satisfied and cg is falsified. The operation opl = cm(b,b — e < —2) refers to 
assigning b to —2, and op2 = cm(b,b — d < —1) refers to assigning b to —1. 
The literal of op1 does not appear in any falsified clause while the literal of op2 
appears in a falsified clause c2. Both operations are decreasing, as either of them 
would make clause cg become satisfied without breaking any satisfied clause. 


In order to find a decreasing cm operation whenever one exists, we need to 
scan all cm operations on false literals. That is, the candidate set of decreasing 
operations is D = {cm(z, £)|é is a false literal and x appears in 4}. If D = 9, 
there is no decreasing cm operation. We propose to distinguish a special subset 
S C D from the rest of D, which is S = {cm(z, €)|€ appears in at least one 
falsified clause and x appears in ¢}. Note that any cm operation in S would 
make at least one falsified clause become satisfied. Based on this distinction, we 
propose a two-level selection heuristic as follows: 


— The heuristic prefers to search for a decreasing cm operation from S. 
— If it fails to find any decreasing operation from S, then it searches for a 
decreasing cm operation from D\S. 


Besides improving the efficiency of picking a decreasing cm operation, there 
is an important intuition underlying this two-level heuristic. We prefer to pick 
a decreasing cm operation from S, because such operations are conflict driven, 
as any cm € S would force a falsified clause become satisfied. This idea can be 
seen as a LIA version of focused local search for SAT, which has been the core 
idea of WalkSAT-family SAT solvers [1,4, 42]. 
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5 Scoring Functions 


Local search algorithms employ scoring functions to guide the search. We intro- 
duce two scoring functions, which are used to compare different operations and 
guide the local search algorithm to pick an operation to execute in each step. 

A perhaps most commonly used scoring function for SAT, denoted as score, 
measures the change on the cost of the assignment by flipping a variable. This 
scoring function indeed can be used to evaluate all types of operations as it only 
concerns the clauses state (satisfied or falsified). We also employ score in our 
algorithm, for both flip and cm operations. Formally, the score of an operation 
is defined as 

score(op) = cost(a) — cost(a’), 


where a’ is obtained from a by applying op. Note that, our algorithm employs 
a clause weighting scheme which associates a positive integer weight to each 
clause, and thus the cost of an assignment is the total weight of falsified clauses. 
It is easy to see that an operation op is decreasing if and only if score(op) > 0. 
Our algorithm prefers to choose the operation with greater score in the greedy 
mode, for both Boolean and integer operations. 

For integer operations, we propose a more fine-grained scoring function, mea- 
suring the potential benefit about pushing a falsified literal towards the direction 
of becoming true. Firstly, we propose a property for literals to measure this merit. 


Definition 3. Given an assignment a, for an arithmetic literal £ : y aizi < k, 
its distance to truth is dtt(l,a) = maz{)_,; aia(xi) —k,0}. For a Boolean literal 
L and an arithmetic literal £: X; aixi = k, dtt(€,a) = 0 if L is true under a and 
dtt(l,a) = 1 otherwise. 


Suppose the current assignment is a, for an arithmetic literal £ : X; aja; < 
k, if }),a;a(x;) > k, then the literal is falsified, and its dtt is defined to be 
X; aia(x;) —k. In this case, if we decrease the value of x; with a; > 0, or increase 
the value of z; with a; < 0, the dtt of £ would decrease. When )7, aja(x;) < k, 
the literal £ is true, and thus its dtt is defined to be 0. 

The definition of dtt for arithmetic literals somehow resembles the violation 
function for constraint satisfaction problems [27], and the violation operator in 
the simplex with sum of infeasibilities for SMT [32]. In this work, we extend it 
to the clause level to measure the distance of a clause away from satisfaction in 
a fine-grained manner. Based on the concept of distance to truth of literals, we 
define a function to measure the distance of a clause away from satisfaction. 


Definition 4. Given an assignment a, the distance to satisfaction of a clause 
c is dts(c, a) = minge-{dtt(l, a)}. 


According to the definition, the dts is 0 for satisfied clause, since there is at 
least one satisfied literal with dtt = 0, while dts is positive for falsified clauses. It 
is desirable to lead the algorithm to decrease the dts of clauses. To this end, we 
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propose a scoring function to measure the benefit of decreasing the sum of dts 
of all clauses. Additionally, the function takes into account the clause weights as 
the score function. 


Definition 5. Given an LIA formula F, the distance score of an operation op 
is defined as 


dscore(op) = X (dts(c, a) — dts(c, a’)) - w(c), 


ceF 


where a and a’ denotes the assignment before and after performing op. 


For Boolean flip operations, dscore is equal to score. For integer operations, 
however, compared to the score function which only concerns the state (satisfied 
or falsified) transformations of clauses, dscore is more fine-grained, as it considers 
the dts of clauses, which are different among falsified clauses. 


Example 5. Given a formula F = c1 \cgAc3 = (a—b < —1)A(a—c < —5Va—d < 
—10)A (b—c < —5Vb—d < —10). Suppose w(c1) = 1, w(c2) = 2, w(c3) = 3, and 
the current assignment is a = {a = 0,b = 0,c = 0,d = 0}, and thus all clauses 
are falsified. Consider two cm operations opl = cm(a,a — b < —1) and op2 = 
cm(b,a—b < —1), which assign a(a) := —1 and a(b) := 1 respectively, leading to 
a’ and a” respectively. Then score(op1) = score(op2) = 1, as they both make cı 
satisfied. Also, dts(c2, a) — dts(c2,a’) = 1, and dts(c3, a) — dts(cs, œ”) = —1, so 
dscore(op1) = (dts(c1, œ) —dts(ci, a’))-w(c1) + (dts(c2, a) — dts(ce, a'))-w(c2) = 
1x 1+1x2=83 and dscore(op2) = —2 by similar calculation. Therefore, op1 is 
a better operation. 


Since the computation of dscore has considerable overhead, this function is 
only used when there is no decreasing operation, as the number of candidate 
operations is limited here, and it is affordable to calculate their dscore. 


6 LS-LIA Algorithm 


Based on the ideas in previous sections, we develop a local search solver for SMT 
(LIA) called LS-LIA. As described in Sect.3, after the initialization, the local 
search works in either Boolean or Integer mode to iteratively modify a until a 
given time limit is reached or a satisfies the formula F. This section is dedicated 
to the details of the initialization and the two modes of local search, as well as 
other optimization techniques. 


Initialization: LS-LIA generates a complete assignment a, by assigning the 
variables one by one until all variables are assigned. All Boolean variables are 
assigned with True. As for integer variables x;, if it has upper bound ub and lower 
bound Jb, that is, there exist unit clauses x; < ub and z; > lb, it is assigned with 
a random value in [lb, ub]. If x; only has upper(lower) bound, zx; is assigned with 
ub(lb). Otherwise, if the variable is unbounded, it is assigned with 0. 
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Algorithm 2: Local Search of Boolean Mode 


1 while non_impr_steps < L x P, do 

2 if a satisfies F then return a 

3 if 4 decreasing flip operation then 
4 


op := such an operation with the greatest score 
5 else 
6 update clause weights according to the PAWS scheme; 
7 c := a random falsified clause with Boolean variables; 
8 op := a flip operation in c with the greatest score; 
9 a := a with op performed; 


Algorithm 3: Local Search of Integer Mode 


while non_impr_steps < L x P; do 

if a satisfies F then return a 

if 4 decreasing cm operation in falsified clauses then 
op := such an operation with the greatest score 


op := such an operation with greatest score 


else 

update clause weights according to the PAWS scheme; 
c := a random falsified clause with integer variables; 
10 op := a cm operation in c with the greatest dscore; 


1 

2 

3 

4 

5 else if 4 decreasing cm operation in satisfied clauses then 
6 

7 

8 

9 


11 a := a with op performed; 


Boolean Mode (Algorithm 2): If there exist decreasing flip operations, the 
algorithm selects such an operation with highest score. 

If the algorithm fails to find any decreasing operation, it first updates clause 
weights according to the weighting scheme described in Sect. 3. Then, it picks a 
random falsified clause with Boolean literals and chooses a flip operation with 
greatest score. 


Integer Mode (Algorithm 3): If there exist decreasing cm operations, the algo- 
rithm chooses a cm operation using the two-level heuristic: it first traverses falsified 
clauses to find a decreasing cm operation with greatest score (line 9); if no such 
operation exists, it searches for a decreasing cm operation via BMS heuristic (line 
10) [10]. Specifically, it samples t cm operations (t is a parameter) from the false 
literals in satisfied clauses, and selects the decreasing one with greatest score. 

If the algorithm fails to find any decreasing operation, it first updates clause 
weights similarly to the Boolean mode. Then, it picks a random falsified clause 
with Integer literals and chooses a cm operation with greatest dscore. 


Restart Mechanism: The search is restarted when the number of fal- 
sified clauses has not decreased for MaxNoImprove iterations, where 
MaxNoImprove is a parameter. 
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Forbidding Strategies. Local search methods tend to be stuck in suboptimal 
regions. To address the cycle phenomenon (i.e. revisiting some search regions), 
we employ a popular forbidding strategies, called the tabu strategy [25]. After 
an operation is executed, the tabu strategy forbids the reverse operations in 
the following tt iterations, where tt is a parameter usually called tabu tenure. 
The tabu strategy can be directly applied in LS-LIA. (1) If a flip operation is 
performed to flip a Boolean variable, then the variable is forbidden to flip in 
the following tt iterations. (2) If a cm operation that increases (decreases, resp.) 
the value of an integer variable x is performed, then it is forbidden to decrease 
(increase, resp.) the value of x in the following tt iterations. 


7 Experiments 


We carried out experiments to evaluate LS-LIA on 4 benchmarks, and compare it 
with state-of-the-art SMT solvers. Also, we combine LS-LIA with Z3 to obtain 
a sequential portfolio solver, which shows further improvement. Additionally, 
experiments are conducted to analyze the effectiveness of the proposed ideas. 


7.1 Experiment Preliminaries 


Implementation: LS-LIA is implemented in C++ and compiled by g++ with 
‘_Q3’ option. There are 5 parameters in LS-LIA: L for switching phases, tt for 
the tabu scheme, MaxzNoImprove for restart, t (the number of samples) for 
the BMS heuristic and sp (the smoothing probability) for the PAWS scheme. 
The parameters are tuned according to suggestions from the literature and our 
preliminary experiments on 20% sampled instances, and are set as follows: L = 
20, t = 45, tt = 3 + rand(10), MaxNoImprove = 500000 and sp = 0.0003 for 
all benchmarks. 


Competitors: We compare LS-LIA with 4 state-of-the-art SMT solvers accord- 
ing to SMT-COMP 2021,° namely MathSAT5 (version 5.6.6), CVC5 (version 
0.0.4), Yices2 (version 2.6.2), and Z3 (version 4.8.14), which are the union of the 
top 3 solvers (excluding portfolio solvers) of QF_LIA and QF_IDL tracks. The 
binaries of all competitors are downloaded from their websites. 


Benchmarks: Our experiments are carried out with 4 benchmarks. 


— SMTLIB-LIA: This benchmark consists of SMT (LIA) instances from SMT- 
LIB. As LS-LIA is an incomplete solver, UNSAT instances are excluded, 
resulting in a benchmark consisting of 2942 unknown and satisfiable instances. 

— SMTLIB-IDL: This benchmark consists of SMT (IDL) instances from SMT- 
LIB.° UNSAT instances are also excluded, resulting in a benchmark consisting 
of 1377 unknown and satisfiable instances. 

3 https: //smt-comp.github.io/2021. 

t https: //clc-gitlab.cs.uiowa.edu:2443/SMT-LIB-benchmarks/QF_LIA. 

5 https: //clc-gitlab.cs.uiowa.edu:2443 /SMT-LIB-benchmarks/QF_IDL. 
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— JSP: This benchmark consists of 120 instances encoded from job shop schedul- 
ing problem resembling [31]. Note that there exists a mistake in the encoding 
method of original instances from [31], and we fixed it in new instances. 

— RVPredict: these instances are generated by a runtime predictive analysis 
system called RVPredict [29], which formulates data race detection in con- 
current software as a constraint problem by encoding the control flow and a 
minimal set of feasibility constraints as a group of IDL logic formulae. The 
author of RVPredict kindly provides us with 15 satisfiable instances by run- 
ning RVPredict on Dacapo benchmark suite [5]. 


Instances from SMTLIB-LIA and SMTLIB-IDL benchmarks are divided into 
two categories depending on whether it contains Boolean variables. From the 
viewpoint of algorithm design, there is a major difference between the operations 
on Boolean and integer variables. We observe that instances containing only 
integer variables takes up a large proportion, amount to 81.1% and 44.1%, in 
these two benchmarks. 


Experiment Setup: All experiments are carried out on a server with Intel Xeon 
Platinum 8153 2.00 GHz and 2048G RAM under the system CentOS 7.9.2009. 
Each solver is executed one run with a cutoff time of 1200s (as in the SMT- 
COMP) for each instance in SMTLIB-LIA, SMTLIB-IDL and JSP benchmarks, 
as they contain sufficient instances. For the RVPredict benchmark (15 instances), 
the competitors are also executed one run for each instance as they are exact 
solvers, while LS-LIA is performed 10 runs for each instance. “#inst” denotes the 
number of instances in each family. We compare the number of instances where 
an algorithm finds a model (“#solved” ), as well as the run time. The bold value 
in table emphasizes the solver with greatest “#solved”. For RVPredict, LS-LIA 
solves all instances with 100% success rate and we report the median, minimum 
and maximum run time among the 10 runs for each instance. 

We uploaded our solver as well as JSP and RVPredict benchmarks (along 
with related information) in the anonymous Github repository.° 


7.2 Results on SMTLIB-LIA and SMTLIB-IDL Benchmarks 


Results on SMTLIB-LIA (Table 1 and Fig. 2). We organize the results 
into two categories: instances Without Boolean variables, and instances With 
Boolean variables. LS-LIA outperforms its competitors on the Without Boolean 
category, solving 2294 out of the 2385 instances. We also present the run time 
comparisons between LS-LIA and each competitor on the Without Boolean cat- 
egory of SMTLIB-LIA benchmark in Fig. 2. As for the With Boolean category, 


6 https: //anonymous.4open.science/r/sls4lia/. 
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Table 1. Results on instances from SMTLIB-LIA. 


Family Type #inst MathSAT5 CVC5 Yices2 Z3  LS-LIA 

Without Boolean 20180326-Bromberger 631 538 425 358 532 581 
bofill-scheduling 407 407 402 407 405 391 
CAV_2009_benchmarks 506 506 498 396 506 506 
check 1 1 1 1 1 1 
convert 280 273 205 186 184 279 
dillig 230 230 230 200 230 230 
miplib2003 16 10 9 11 8 13 
pb2010 41 14 5 21 33 28 
prime-cone 19 19 19 19 19 19 
RWS 20 11 13 11 14 12 
slacks 231 230 231 161 230 231 
wisa 3 3 3 3 3 3 
Total 2385 2242 2041 1774 2165 2294 

With Boolean 2019-cmodelsdiff 144 94 95 95 95 51 
2019-ezsmt 108 84 79 81 81 54 
20210219-Dartagnan 47 22 22 23 23 2 
arctic-matrix 100 43 26 59 4T TT 
Averest 9 9 9 9 9 T 
calypto 24 24 24 24 24 21 
CIRC 18 18 18 18 18 3 
fft 5 3 3 3 3 3 
mathsat 21 21 21 21 21 13 
nec-smt 1256 1244 425 1256 1242 581 
RTCL 2 2 2 2 2 2 
tropical-matrix 108 55 42 71 52 98 
Total 1842 1619 766 1662 1617 912 


the performance of LS-LIA is overall worse than its competitors, but still com- 
parable. A possible explanation is that as local search SAT solvers, LS-LIA is 
not good at exploiting the relations among Boolean variables. Nevertheless, LS- 
LIA has obvious advantage in “tropical-matrix” and “arctic-matrix” instances, 
which are industrial instances from automated program termination analysis 
[16], showing its complementary performance compared to CDCL(T) solvers. 
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Fig. 2. Run time comparison on Without Boolean category of SMTLIB-LIA 


Results on SMTLIB-IDL Benchmark (Table 2 and Fig. 3). Similar to 
the case for SMTLIB-LIA, our local search solver shows the best performance on 
IDL instances Without Boolean variables (solving 597 out of the 707 instances), 
which can be seen from Table 2 and Fig. 3. However, LS-LIA performs worse than 
its competitors on those With Boolean variables. Overall, LS-LIA cannot rival 
its competitors on this benchmark, but works particularly well on the instances 
without Boolean variables. 


Combination with Z3 and Summary on SMTLIB benchmarks (Table 
3). To confirm the complementarity of our local search solver with state of the art 
SMT solvers, we combine LS-LIA with Z3, by running Z3 with a time limit 600 s, 
and then LS-LIA from scratch with the remaining 600s if Z3 fails to solve the 
instance. This wrapped solver can be regarded as a sequential portfolio solver, 
denoted as “Z3+LS”. 

We summarize the results of all solvers, including Z3+LS, on SMTLIB-LIA 
and SMTLIB-IDL benchmarks in Table 3. Among all single-engine solvers, Math- 
SAT5 solves the most instances of SMTLIB-LIA benchmark, while Z3 solves the 
most instances of SMTLIB-IDL benchmark. LS-LIA outperforms its competi- 
tors on instances Without Boolean variables, indicating that local search is an 
effective approach for solving SMT (LIA) instances with only integer variables. 

Z3+LS solves more instances than any other solver on both benchmarks, 
confirming that LS-LIA and Z3 have complementary performance and their 


242 S. Cai et al. 


Table 2. Results on instance from SMTLIB-IDL. 


Family Type #inst MathSAT CVC5 Yices2 Z3  LS-LIA 
Without Boolean 20210312-Bouvier 100 4 44 21 42 40 
job-shop 108 39 59 74 73 77 
n_queen 97 57 86 97 92 97 
toroidal_bench 32 IL 10 12 12 13 
super_queen 91 57 86 91 91 91 
DTP 32 32 32 32 32 32 
schedulingIDL 247 100 125 247 247 247 
Total 707 300 442 574 589 597 
With Boolean asp 379 147 212 284 291 27 
Averest 157 157 157 157 157 120 
benscheduling 6 3 4 4 4 4 
fuzzy-matrix 15 0 0 0 0 1 
mathsat 16 16 16 16 16 11 
parity 136 130 136 136 136 136 
planning 2 2 2 2 2 0 
qlock 36 36 36 36 36 0 
RTCL 4 4 4 4 4 4 
sal 10 10 10 10 10 8 
sep 9 9 9 9 9 8 
Total 770 514 586 658 665 319 
1000 f * 
= 1 _ 
= 
0.001 © 0.001 
0.001 0.01 01 1 10 100 1000 0.001 0.01 01 1 10 100 1000 
LS-LIA [sec] LS-LIA [sec] 
(a) Comparing with MathSAT5 (b) Comparing with CVC5 
1000 tae 7 1000 eer ar z 
Š 
ooor LL : — 0.001 
0.001 0.01 01 1 10 100 1000 0.001 0.01 01 1 10 100 1000 
LS-LIA [sec] LS-LIA[sec] 
(c) Comparing with Yices2 (d) Comparing with Z3 


Fig. 3. Run time comparison on Without Boolean category of SMTLIB-IDL 
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Table 3. Summary results on SMTLIB-LIA and SMTLIB-IDL. Instances without and 
with Boolean variables are denoted by “no_bool” and “with_bool” respectively. 


#inst MathSAT5 CVC5 Yices2 Z3 LS-LIA Z3+LS 


LIA_no_bool 2385 2242 2041 1774 2165 2294 2316 
LIA_with_bool 1842 1619 766 1662 1617 912 1625 
Total 4227 3861 2807 3436 3782 3206 3941 
IDL_no_bool 707 300 442 574 589 597 597 
IDL_with_bool 770 514 586 658 665 319 661 
Total 1477 814 1028 1232 1254 916 1258 
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Fig. 4. Run time comparison on job shop scheduling instances. 


combination pushes the state of the art in solving satisfiable instances of SMT 
(LIA). We also combined LS-LIA with Yices in the same manner, resulting in 
a wrapped solver called YicesLS [11], which won the Single-Query and Model- 
Validation Track on QF_IDL in SMT-COMP 2021. 


7.3 Results on Job Shop Scheduling Benchmark 


LS-LIA significantly outperforms the competitors on the JSP benchmark. LS- 
LIA solves 74 instances, while MathSAT5, CVC5, Yices2, Z3 can only solve 27, 
29, 49, 44 instances respectively. The run time comparison on the JSP benchmark 
are presented in Fig. 4, where the instances that both the competitors and LS- 
LIA cannot solve are excluded. LS-LIA shows dominating advantage over it 
competitors on these JSP instances. 


7.4 Results on RVPredict Benchmark 


Table 4 presents the results on satisfiable instances generated by running RVPre- 
dict [29] on Dacapo benchmark suite [5]. LS-LIA solves all the instances 
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Table 4. The results on RVPredict instances, “#var” and “#clause” denotes the 
number of variables and clauses respectively. If a solver finds an satisfying assignment, 
the run time to find the assignment is reported, otherwise ‘NA’ is reported. For LS-LIA, 
we report the median (minimum, maximum) run time. 


#var clause MathSAT5 CVC5 Yices2 Z3 LS-LIA 


RVPredict_1 19782 38262 344.8 410.2 6.3 NA 67.6(56.7,139.4) 
RVPredict_2 19782 38262 427.0 429.7 3.3 NA 77.3 (54.2, 107.2) 
RVPredict_3 19782 38258 329.5 378.2 9.9 NA 57.8 (56.5, 116.7) 
RVPredict_4 19782 38263 333.3 403.5 3.9 NA 80.7 (58.1, 130.5) 
RVPredict_5 19782 38262 346.3 412.7 5.8 NA 78.2 (52.3, 124.4) 
RVPredict_6 19782 38258 457.2 332.7 2.5 NA 61.1 (43.4, 151.4) 
RVPredict_7 19782 38262 541.0 382.7 11.1 NA 68.3 (44.7, 100.6) 
RVPredict_8 19782 38259 357.0 405.0 6.9 NA 72.8 (54.5, 131.2) 
RVPredict_9 19782 38262 431.3 443.7 12.8 NA 73.2 (41.8, 122.5) 
RVPredict_10 19782 38246 460.4 280.7 4.6 NA 56.7 (43.6, 137.3) 
RVPredict_11 139 174 0.1 0.1 0.1 0.1 0.1 (0.1, 0.1) 
RVPredict_12 460 6309 4.7 5.6 0.1 0.3 1.3 (0.4, 4.5) 
RVPredict_13 460 6503 4.1 6.1 0.1 0.3 0.1 (0.1, 0.1) 
RVPredict_14 460 6313 4.3 5.8 0.1 0.3 0.7 (0.1, 1.5) 
RVPredict_15 460 6313 5.5 5.8 0.1 0.3 0.8 (0.5, 1.7) 


consistently, and ranks second on this benchmark, only slower than Yices2. Par- 
ticularly, on the 10 large instances RVPredict_1-10, LS-LIA is much faster than 
competitors except Yices2. 


7.5 Effectiveness of Proposed Strategies 


To analyze the effectiveness of the strategies in LS-LIA, we modify LS-LIA to 
obtain 5 alternative versions as follows. 


— To analyze the effectiveness of the cm operator, we modify LS-LIA by replac- 
ing the cm operator with the operator that directly modifies an integer vari- 
able by a fixed increment inc, leading to two versions v_fix_1 and v_fix_5, 
where inc is set as 1 and 5 respectively. 

— To analyze the effectiveness of the two level heuristic for picking a decreasing 
cm operation, we modify LS-LIA by choosing a decreasing cm operation only 
from falsified clauses or directly from all false literals, leading to two versions, 
namely v_focused and v_extend. 

— To analyze the effectiveness of dscore, we modify LS-LIA to choose a cm 
operation with the highest score from the selected clause at local optima, 
leading to the version v_score. 


We compare LS-LIA with these modified version on the SMTLIB-LIA and 
SMTLIB-IDL benchmarks. The runtime distribution of LS-LIA and its modified 
versions on the two benchmarks are presented in Fig. 5, confirming the effective- 
ness of the strategies. 
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Fig. 5. Run time distribution comparison 


8 Conclusion and Future Work 


We developed the first local search solver for SMT (LIA) and SMT (IDL), open- 
ing the local search direction for SMT on integer theories. Main features of our 
solver include a framework switching between Boolean and Integer modes, the 
critical move operator and a scoring function based on distance to satisfaction. 
Experiments show that our solver is competitive and complementary to state- 
of-the-art SMT solvers. 

We would like to enhance our solver by improving the performance on 
instances with Boolean variables. Also, it is interesting to explore deep coop- 
eration with DPLL(T) solvers. 
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Abstract. Reasoning about data structures requires powerful logics 
supporting the combination of structural and data properties. We define 
a new logic called Mso-D (Monadic Second-Order logic with Data) as an 
extension of standard Mso on trees with predicates of the desired data 
logic. We also define a new class of symbolic data tree automata (SDTAs) 
to deal with data trees using a simple machine. Mso-D and SDTAs are 
both Turing-powerful, and their high expressiveness is necessary to deal 
with interesting data structures. We cope with undecidability by encod- 
ing SDTA executions as a system of CHCs (Constrained Horn Clauses), 
and solving the resulting system using off-the-shelf solvers. We also iden- 
tify a fragment of Mso-D whose satisfiability can be effectively reduced 
to the emptiness problem for SDTAs. This fragment is very expressive 
since it allows us to characterize a variety of data trees from the litera- 
ture, solving certain infinite-state games, etc. We implement this reduc- 
tion in a prototype tool that combines an Mso decision procedure over 
trees (MONA) with a CHC engine (Z3), and use this tool to conduct sev- 
eral experiments, demonstrating the effectiveness of our approach across 
different problem domains. 


1 Introduction 


Reasoning about linear or tree-like data structures requires very expressive logics 
that allow combining structural and data properties. Logical characterizations of 
common data structures often impose restrictions on the structural part, which 
are intertwined with constraints on the data part. For example, in a binary search 
tree (BST) the data values are organized in the form of a binary tree, where the 
numerical value associated with each node is greater than or equal to all the 
values stored in its left sub-tree and smaller than all those in its right sub-tree. 
Logical characterisations of data structures may also require the calculation of 
measures concerning parts of the structure such as size or height. Think of red- 
black trees (RBT), a type of BST with additional constraints, such as “every path 
from a given node to any of its descendant leaves goes through the same number 
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of black nodes”. Similarly, for AVL trees we need to impose that the heights of 
the sub-trees rooted in the children of any node differ by a maximum of one. 

As a first contribution, we define a new logic called Mso-D (Monadic Second- 
Order logic with Data) as an extension of standard Mso on binary trees with 
data constraints. The Mso component of the logic allows us to express structural 
properties, while the data constraint component allows us to impose properties 
on the data associated with the nodes. Constraints on data are expressed by 
predicates from a desired data logic that is completely agnostic to the underly- 
ing tree structure. We connect the two components by means of uninterpreted 
functions that map each node of the tree to a data item. An example of an 
Mso-D formula that defines BSTs is: 


Va Vy. ( (path, (x,y) —> val(x) > val(y)) A (path,.(x,y) > val(x) < val(y)) 1 (1) 


where « and y are first-order variables ranging over the set of nodes, path,(x, y) 
(resp., path„(x£,y)) is an Mso formula expressing that “y is in the left (resp., 
right) sub-tree of x”, and val is an uninterpreted function that maps each node 
of the tree to an integer. 

As a second contribution, we define a new class of symbolic data tree automata 
(SDTAs) to recognize languages of data trees using a simple machine. Such 
automata perform a bottom-up computation starting from the leaves of the data 
tree. The state of an SDTA is represented by the value of a set of state variables, 
whereas the data trees recognized by the automaton carry another set of alpha- 
bet variables. The transitions of an SDTA are expressed by joint constraints over 
state and alphabet variables. For example, BsTs attach to each node a single 
alphabet variable, say val, holding the numerical value of that node. An SDTA 
recognizing BsTs will use additional state variables to check that the data tree 
is indeed a BsT. In this case, two state variables are sufficient to achieve this 
goal: one holding the minimum and one holding the maximum value stored in 
the sub-tree rooted in the current node. Similarly, SDTAs can be designed to 
recognize the classes of RBTs and AVL trees. 

We have to deal with undecidable problems when reasoning about data trees 
using Mso-D or SDTAs, and this is unavoidable if we want to (a) handle trees 
with data from infinite domains, and (b) relate data from different nodes. These 
two features make SDTAs Turing-powerful since they can encode executions of 
two-counter machines. A similar argument holds for the satisfiability problem of 
Mso-D, since we can write a formula that allows us to relate data in consecutive 
nodes. By prohibiting the propagation of unbounded information between nodes, 
the decidability of relevant decision problems can be recovered (see [11,12] for 
an account on this). However, these features are both essential to deal with data 
structures such as BsTs, RBTs, AVL trees, Heaps, etc. 

A way to cope with undecidability is to encode the executions of an SDTA 
as a system of CHCs (Constrained Horn Clauses) or, equivalently, as a CLP 
(Constraint Logic Program) [26], and solve the system using efficient off-the- 
shelf tools. Systems of CHCs correspond to a restricted class of first-order logic, 
and are a versatile formalism for representing and solving a variety of program 
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verification or model checking problems, including those regarding sequential, 
concurrent, and functional programs. Efficient algorithms have been proposed 
for solving systems of CHCs, often leveraging or generalizing techniques devel- 
oped in the context of automatic program verification [2,21,22]. As a result, 
CHCs are often used as an intermediate representation in a variety of verification 
and synthesis tools [6, 18, 20,23,25,27,29,35]. Here, we follow a similar approach 
to solve the emptiness problem for SDTAs, and this offers several advantages. 
First, it provides a separation of concerns, allowing users of our framework to 
focus only on aspects related to the tree data structure at hand, while giving 
CHC solver developers a clean framework that can be instantiated using various 
model checking algorithms and specialized decision procedures. Furthermore, by 
expressing CHCs in the standard SMT-LIB language, one can take advantage 
of different CHC engines, whose performance keeps improving year-over-year, as 
witnessed by the competition on constrained Horn clauses CHC-COMP [19]. 

As a third contribution, we show several results linking the Mso-D satisfiabil- 
ity problem to the emptiness of SDTAs, and thus to the problem of solving a CHC 
system. A fundamental theorem for the class of regular (word or tree) languages 
states that a language is regular if and only if it is Mso-definable, i.e., definable 
by a closed formula (i.e., a sentence) of standard Mso [4,5,14,15,39,41]. Here, 
we show that if we allow Mso-D data predicates to talk only about the data of a 
single node, the satisfiability problem can be reduced to the emptiness of SDTAs. 
Furthermore, both decision problems are decidable in this case [11]. Moreover, 
we identify a larger undecidable syntactical fragment of Mso-D where the above 
reduction can still be performed. Namely, we give an effective reduction when 
the Mso-D formula is of the form daVy. y(x, y), where ọ can contain additional 
quantifiers and each data constraint in y is either unary, or accesses the data in 
a bounded neighborhood of the nodes referred to by x and at most one of the 
variables of y. We show that this fragment is very expressive as it allows us to 
characterize a variety of tree data structures from the literature, solve certain 
infinite-state games, and handle many other potential applications. 

As a fourth and final contribution, we have implemented the reduction for the 
syntactic Mso-D fragment described above in a prototype tool that combines 
an Mso decision procedure over trees (MONA [28]) with a CHC engine (of the 
SMT solver Z3 [24,36]). Using this tool we have conducted several experiments 
to demonstrate the effectiveness and the practicality of our approach. 


Organization of the Paper. The rest of the paper is organized as follows. Section 2 
defines data trees, while Sect. 3 introduces the Mso-D logic. Section 4 deals 
with the definition of SDTAs, and Sect. 5 shows that the emptiness problem for 
SDTAs is undecidable in general but can be solved by off-the-shelf CHC engines. 
Section 6 shows a reduction from the Mso-D satisfiability problem to the empti- 
ness of SDTAs, for the Mso-D fragment JaVy. y(x, y). Section 7 describes our 
prototype implementation and summarises our experimental evaluation. Related 
work and concluding remarks can be found in Sect. 8 and 9, respectively. 
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2 Data Trees 


Here we formally define data trees. We deal with trees that are finite in size and 
labeled with data from possibly infinite domains. We consider only binary trees 
(i.e., trees of arity 2) to keep notation to a minimum. However, the methods and 
approaches presented in the paper apply to any class of trees of fixed arity. 

We will use N to denote the set of all natural numbers, Z to stand for the 
set of integers, and B to represent the set {0,1}. For a number n € N, we write 
[n] to denote the interval {1,...,n}. 


Words. An alphabet is a finite set of symbols. A word w over an alphabet X 
is a finite (possibly empty) sequence w = a1a2...an where a; E€ X for i € [n]. 
We denote with |w| the length of the sequence of symbols forming w. The empty 
word, denoted by €, is the word formed by no symbol. We denote the set of all 
words over X by X*. A language L over X is any subset of X*. A prefix (resp. 
suffix) of a word w is either e€, or any sequence a1... aj (resp., a; ...@n), for some 
j € [n]. Given two words a = a1a2... an and b = bb... bm, their concatenation 
denoted ab, is the word aiaz.. .anbıbz...bm. Given a word w € X* and a 
language L C X*, we define Ext(w, L) as the language of all words w’ such that 
ww’ is a word in L, i.e., Ext(w, L) = {w | ww’ € L}. 


Trees. A binary tree T, or simply a tree, is a finite and prefix-closed subset of 
{0,1}*. We call the elements of T nodes, and the node identified by e the root 
of T. The edge relation is defined implicitly: for d € {0,1}, if v and vd are both 
nodes of T, then (v, vd) is an edge of T. Further, if d is 0 (resp., 1) we say that 
ud is the left (resp., right) child of v, and v is the parent of vd. A leaf is a node 
with no children, while an internal node is a node that is not a leaf. The height 
of T is max;er |t|. The sub-tree of T rooted at a given node t € T is Ext(t,T). 
Further, Ext(t,T) is a left (resp., right) sub-tree of t if t = t'O (resp., t = t’1), 
for some t € T. The k-th level of a tree T consists of the sequence of all t € T, 
with |t| = k, sorted in ascending lexicographic order. Further, the k-th level of 
T is filled left to right if it is a prefix of the k-th level of {0,1}*. 


Data Signatures. Data signatures are like structured data types (a.k.a. records) 
in programming languages: a data signature S is a set of pairs { id; : type; yi=1...n- 
Common types of interest include bounded or unbounded integers (denoted by 
int and Z, resp.), floating point rationals and real numbers (float and R), the 
Boolean type B and the bit vectors of length k. If a signature contains a single 
field whose type is a finite alphabet X, we call that signature an enumeration. 
An evaluation v of a data signature S is a map that associates each field name 
id in S with a value of the corresponding type, denoted by v.id. We denote by 
L(S) the set of all evaluations of S, also called the language of S. 


Data Trees. A data tree with data signature S, or an S-tree, is a pair (T, A) 
where T is a tree and 4 is a labelling function that maps each node t € T into an 
evaluation of S, i.e., A(t) € L(S). Another way of looking at data trees is to think 
of them as a traditional tree data structure where the data A(t) associated with 
each node t is structured. Thus, to simplify the notation when A is clear from the 
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context, we adopt a C-like notation to refer to the value of fields associated with 
tree nodes: if t is a tree node and id is a field of S, we write t.id as a shorthand 
for A(t).id. If the data signature is an enumeration, we recover the traditional 
notion of X-labelled tree. 

Many data structures from the literature can be seen as data trees. Below 
we give a high-level description of well-known data structures [9]. In addition to 
using them for motivating purposes, we will also use them as running examples. 


Example 1 (Binary Search Trees). A BST is a binary tree where each node stores 
a key taken from a totally ordered set, with the property that the key stored in 
each internal node is greater than or equal to all the keys stored in the node’s 
left subtree, and smaller than those in its right subtree. Thus, an appropriate 
signature for data trees representing BsTs is {val : Z}. 


Example 2 (Red-black Trees). An RBT is a binary tree where each internal node 
stores a numerical value, satisfying the binary search tree property. The leaves 
do not contain keys or data and they represent a NIL pointer. Each node has 
a color (red or black), and the following properties hold: (i) every leaf is black, 
(i) if a node is red then both its children are black, and (iii) every path from a 
given node to a descendent leaf contains the same number of black nodes. 

Note that while the color is a piece of information stored in the node, the 
black height can instead be computed on demand. Thus, the signature for data 
trees representing RBTs may be {val : Z, is_black : B}. 


Example 3 (Max-Heap). A MAx-HEapP is a binary tree where each node stores 
a key taken from a totally ordered set, say Z, and can be described as an S- 
tree (T, A) where S is a data signature consisting of a single integer field, say 
{key : Z}, that obeys the following two constraints: (i) (shape property) T is 
almost complete, i.e., all its levels are complete, except the last one, that is filled 
from left to right; and (ii) (heap property) the value stored in each node is greater 
than or equal to the values stored in the node’s children. 


3 Monadic Second-Order Logic with Data 


In this section, we introduce our Mso-D logic to express properties of data 
trees. We define Mso-D by extending the standard Monadic Second-Order logic 
on (enumeration) trees (a.k.a. MSO) with constraints on the Data. 

Data constraints are formulas in first-order logic (FOL) with equality (here 
we use standard FOL syntax and semantics [34]). However, since data trees 
may involve different data types, we will consider formulas with many-sorted 
signatures as opposed to the classical unsorted version. Specifically, we deal 
with formulas of a many-sorted first-order theory D with sorts data;,..., datan. 
For each data;, we allow a theory Ddata; whose function symbols have type 
data; — data; and whose relation symbols have type data,” — B, for some n 
and m. For example, each of these theories can be the theory of arithmetic, reals, 
arrays, etc. From now on, we may refer to D as the data theory of Mso-D. 
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We also introduce a finite set of connecting function symbols, denoted F, 
which we use to extend the Mso component of our logic with data. Let nodes be 
the sort of the Mso component. Then, each f € F is an uninterpreted function 
symbol with type nodes — data;, for some i € [n]. These functions allow us 
to model fields that we associate with each node in the tree. In particular, we 
say that f € F models a field of an S-tree if f is also the name of a field in 
S. Otherwise, f may serve the purpose of endowing tree nodes with extra data 
fields without these being present in the labels of the data tree. This is a very 
useful feature for characterizing tree data structures, e.g., we can use bh € F to 
logically characterize the black height of nodes in RBTs, even if that information 
is not part of the data signature of RBTs. 

We are now ready to formally define the syntax of Mso-D over S-trees with 
data theory D and connecting functions F. We fix countable sets of propositional 
variables (denoted by p), first-order node variables (denoted by x,y, etc.), and 
node-set variables (denoted by X,Y, etc.). We assume that D includes relation 
symbols Dl, We also assume that the symbols in D, the variable names, and 
the symbols in F do not overlap. Since D is imported in Mso-D unchanged we 
do not report its definition here. The remaining components of the syntax of 
Mso-D(D,F,S) are defined by the following grammar: 


Node terms: t = x | t.left | t.right 


Formulas: y = p|ti=te|te€ X|dr.y|3X.¢|-y| pny 
| r(fi(ti),---5 fe(te)) PED figs ian fr EF 


where r and fi1,..., fk are well-typed, i.e., there is an index 7 such that the type 
of r is data*, and for every j € [k], fj has type nodes — data;. We denote the 
set of all variables occurring in y by Var(y). 

An interpretation of a formula ọ is a pair (T>,I), where TÀ is an S-tree 
(T,A), and I interprets the remaining symbols of the logic. We interpret the 
D-component of our theory as we would interpret D in isolation. Assume that 
D is the chosen interpretation of D, with underlying universes D; for sort datai. 
Also, I maps each function symbol f in F with type nodes — data; to a concrete 
function I(f) : T — D,;. Moreover, if f is also the name of a field in S, then we 
require that I(f) coincides with the value of the field f in each node of the tree, 
i.e., I(f)(v) = A(v).f, for every v € T. The satisfaction relation depends also on 
D, but we omit it here because we consider it fixed. 

We interpret the variables in Var(y) by mapping each of them into a subset 
of nodes of T with the following properties: (i) first-order variables are assigned 
singletons, and (ii) propositional variables are assigned either all nodes (encoding 
true) or no node at all (encoding false). For a set of nodes S C T and a (first- or 
second-order) variable a € Var(y), we denote by I[S/a] the function that maps 
a to S, and agrees with I on all the other variables. Node terms are interpreted 
as follows: 
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I(x) ift=2 

I(s)0 if t = s.left and I(s)0 € T 
I(s)1 if t = s.right and I(s)1 € T 
I(s) otherwise. 


I(t) = 


Notice that the .left and .right operators stutter on leaves, that is, for all 
leaves v it holds v = v.left = v.right. 
The satisfaction relation T>, I = y is so defined. 


T> Ip iff I(p) =T 

PEt =t iff I(t1) = I(te) 

DP IEtex iff I(t) C (X 

TRUE r(filth),-+-+ Fel) #D(r)(H(fr)(U(tr)),- Ufa) Cte) ) 

TÀ, IE -¢ if TÀ, IE Y 

TÀ, I E gi Age if T>, I H yı and TA, I H y2 

T I Har. g iff there exists v € T such that TÀ, I[{v}/z] H 
Tà IH3X.9 iff there exists S C T such that TA, I[S/X] E » 


We say that TÀ satisfies p, denoted T* į y, if there is an interpretation 
I such that Tà, I H y. We define the language of trees satisfying an Mso-D 
sentence in the usual way. An Mso-D sentence is a formula with no free variables. 
We define the set of all S-trees TÀ satisfying an Mso-D(D, F, S) sentence y by 
L(e), i.e., the set of all S-trees T such that Tà | y. A language of trees L 
is Mso-D(D, F, S) definable if there exists an Mso-D(D, F, S) sentence y such 
that L = L(y). 

We recover standard Mso when S is an enumeration and D includes a unary 
relation ra for each a € X, whose interpretation is {a}. 


Undecidability of the Satisfiability Problem. The satisfiability problem for a given 
Mso-D(D,F,S) sentence y asks whether L(y) is empty. Let D be the theory 
of linear integer arithmetic. It is easy to model an execution of any given 2- 
counter machine using a unary data tree whose signature has two fields of type 
N to model the counters, and an enumeration field to keep track of the current 
instruction. Each machine configuration is represented by a node, and we can 
impose constraints in our logic so that two consecutive nodes in the tree model a 
machine transition. Likewise, we can also express the property of a halting com- 
putation in our logic. Thus, the satisfiability of the Mso-D logic is undecidable, 
even though the underlying data logic D is decidable. Of course, by choosing 
a finite domain for the interpretation of the underlying data logic, we regain 
decidability in that the problem matches that of the standard Mso. 


Examples. We now show various examples to illustrate the expressiveness of 
Mso-D. We will use the usual predefined abbreviations to denote the remain- 


ing propositional connectives (pı V y2 and pı — p2), the universal quanti- 


fier (Va.y © -dJa.-7y), x Æ y = A(x = y), and the conditional expression 


def 


(yp? p1: p2) = (PA y1) V (AYA p2). Finally, the following standard Mso predi- 
cates will come in handy: child(x, y), root(x), leaf (x), and path(a, y). 


256 M. Faella and G. Parlato 


Example 4 (Mso-D Characterization of BsTs). We define the characteristic 
property of BsTs on data trees with data signature {val : Z}. We first introduce 
the auxiliary predicate path;(x,y) (resp., path,(2,y)) with the meaning “y is 
in the left (resp., right) sub-tree of x”. Using these predicates, we define the 
Mso-D sentence (1) that says that all values in the left sub-tree of a node x 
contain values that are smaller than the value in x, and similarly for the right 
sub-tree. 

To demonstrate the use of connecting functions to model auxiliary node fields, 
we give an alternative way to characterize BSTs. We introduce two auxiliary 
connecting functions: min and maz. We impose constraints to ensure that for 
each node x in the tree min(x) and maz(x) are the minimum and maximum 
values of the sub-tree rooted in x, respectively. It is straightforward to see that 
we can impose the BST property by relating the values in each node with min 
and maz in their children as follows: 


Yost = Ver. ( (cA a.left ? ae as = min(a.left) A max(ax.left) < val(x) 
min(x) = al ) )a 
(ae th ane max(x) = max(x.right) ^A min(x.right) > val(x) 
: maz(x) = ae ) } 


Example 5 (Mso-D characterization of RBTs). We can also express the defining 
properties of red-black trees as follows: 


(a) Every leaf is black: Vx . leaf (x) — is_black(«). 
(b) If a node is red, both its children are black: 


Var. (sis-black(a)) — (is_black(x.left) ^ is-black(a.right)). 


(c) Every path from a node to a leaf contains the same number of black nodes. 
We encode this property as the consistency of the black height data field bh: 


vey. ( (( is_black(x) A child(y,«)) > (bh(y) = bh(a) 1) ) 


A ( (nis_black(x) A child(y,x)) + (bh(y) = bh(æ)) ) 


> 
OS ON 


( 
(leaf (a) ^ is_black(a)) — bh(a) = 1 ) 
(leaf (x) A +is_black(a)) — bh(«) = 0) ). 


Extended Models. Since we are going to build automata corresponding to for- 
mulas with free variables, it is convenient to encode the variable interpretation 
in the tree itself, by expanding the data signature with an extra Boolean flag 
for each free variable. The flag corresponding to a free variable will be set to 1 
in the node(s) that belong to the interpretation of that variable. In detail, for a 
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given interpretation (T>, I), assume that Var(y~) = {a1,...,Qn}, we can define 
an extended tree (T, AF) with data signature S? = S U {a1,...,an : B}, where 
AF (u)(a;) = 1 iff u € I(a;). Conversely, from an extended tree we can extract the 
corresponding variable interpretation. For such an extended tree we can write 


TM i p without mentioning I. 


4 Symbolic Data-Tree Automata 


In this section, we define a new class of tree automata called Symbolic Data- Tree 
Automata. They generalize traditional bottom-up finite tree automata as they 
work with data trees. Furthermore, they are symbolic because the alphabet and 
set of states are defined using evaluations of data signatures, and its transition 
function is defined through constraints! involving states and alphabet. 


Definition 1 (SYMBOLIC DATA-TREE AUTOMATA). A symbolic data-tree 
automaton, or SDTA for short, A is a tuple (S¥, SS, y®, W^) where: 


- S” is the alphabet data signature defining the tree alphabet X = L(S~); 

- SÈ is the state data signature defining the set of states Q = L(S®); 

- WF is a unary constraint defining the set of final states F C Q, i.e., the set 
consisting of all elements q € Q such that w* (q) evaluates to true; 

- W is a tuple of four transition constraints: 


Wir (a, dr, 9, q), Yilqi, T, q), Wel Ges T, q), Wieag (0, q), 
where qı, qr, and q are variables of type SL, and o is of type S¥. 


A accepts S~-trees. A tree (T, X) is accepted by A if there is a total function 
Tt :T — Q such that for every node t € T the following holds: 


- t has both children, and wir( (t0), (1), A(t), w(t) ) holds; 
- t has only the left child, and wi( (t0), A(t), T(t) ) holds; 

- t has only the right child, and pr ( n(t1), A(t), m(t) ) holds; 
- t is a leaf, and Wear ( A(t), T(t) ) holds; 

- Y" (n(€)) holds. 


The language of A, denoted L(A), is the class of all S” -trees accepted by A. 


We recover standard tree automata when both data signatures SY and SẸ 
are enumerations. In that case, we call A an enumeration tree automaton and 
we denote it as (X, Q, F, A), where X = L(S¥), Q = L(S®@), and so on. 


1 We use the term constraint to denote a generic predicate con(£1,..., £p) in which 
the type of variable x; is some data signature S;. We deliberately leave the definition 
of the constraints unspecified, and specify them only when it is necessary to do so. 


258 M. Faella and G. Parlato 


Example 6 (Symbolic Data-Tree Automaton for Maz Heap). We define an SDTA 
Abmn where L(Abmn) is the set of all max heaps. The state data signature of 
Abmn is {h : N, f : B, val : N}. We use the h field to store the height of the 
sub-tree rooted in the node, the f field to store whether the sub-tree rooted 
in the node is complete with the last level completely filled, and val stores the 
node’s data value. The transition data constraints are as follows: 


Picas (0, q) Sf gh=1A q.f A q.val = o.val 
Wi(q1, 7, @) {1 g@h=1A gh=2 A aq.f A o.val > oval A q.val = o.val 
(qh -1< qr-h< qh) A (q.f > (qf Aar-f A qh = ar-h)) 


A (“a-f > (qr-h < qh A ar-f)) A (ar-f > (arh = q.h A a-f)) 
A o.val > q.val A o.val > qr.val A q.val = o.val. 


def 


wu (q, qr, 9, q) 


For each leaf, we set the height field h to 1, the field f to true, and copy the 
label of the node into the state field val. Note that all sub-trees of a complete tree 
are still complete trees. Thus, if a node has only the left child, this child must be 
a leaf, and we set the parent node’s fields accordingly. A node with only the right 
child leads to a violation of the shape property, thus pr (qr, 0, q) “ false. Finally, 
we consider the case where the node has both children. Here Y constrains the 
fields of the state data signature to guarantee their invariants. Specifically, the 
first two lines enforce the shape property while the last line enforces the heap 
property and copies the value of the label into the state field val. To conclude, 
we define y? as a tautology. However, if, for example, we wanted to accept only 


def 


max heaps of height at least 100 we could have defined Y? (q) = (q.h > 100). 


5 Solving the Emptiness Problem for SDTAs 


The emptiness problem for SDTAs consists in determining whether the tree lan- 
guage recognized by a given SDTA A is empty, i.e., whether L(A) is empty. We 
first prove that the emptiness problem for SDTAs is undecidable, and then show 
that it can be reduced to the satisfiability of a system of constrained Horn clauses 
(CHCs), for which increasingly efficient off-the-shelf semi-procedures exist. 

It is well known that the emptiness problem for tree automata is decidable [8]. 
However, as explained for Mso-D in Sect. 3, as soon as the state data signa- 
ture involves an unbounded data domain (such as integers or reals) and basic 
arithmetics (e.g., increment and test for zero), the emptiness problem becomes 
undecidable. Thus, we have the following. 


Theorem 1. The emptiness problem for SDTAs is undecidable. 


We cope with this negative result by providing a reduction to the satisfiability 
of a system of CHCs, when the transition constraints of the automaton are 
defined through quantifier-free first-order logic formulas. 
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Constrained Horn Clauses. We fix a set R of uninterpreted fixed-arity rela- 
tion symbols, which represent the unknowns in the system. A Constrained Horn 
Clause, or CHC for short, is a formula of the form H — CAB, A---AB, where: 


— Č is a constraint over some background theory that does not contain any 
application of predicates in R; 


— for every i € |n], B; is an application p(v,,..., vz) of a relation symbol p € R 
to first-order variables v1,..., Ux; 
— H is the clause head and, similarly to B;, is an application p(v1,..., vz) of a 


relation symbol p € R to the first-order variables, or false; 
— the first-order variables appearing in the signature of the predicates and con- 
straints are all implicitly universally quantified. 


A finite set H of CHCs is a system, and it corresponds to the first-order 
formula obtained by putting all its CHCs in conjunction. We assume that the 
semantics of constraints is given a priori as a structure. A system H with relation 
symbols R is satisfiable if there is an interpretation to each predicate in R that 
makes all clauses in 1 valid. 

It is a well-known result from constraint logic programming that every system 
of CHCs H has a unique minimal model that can be computed as the fixed-point 
of an operator derived by the clauses of H [16,26]. This property, which allows 
us to use a fixed-point semantics for CHC systems, to justify the correctness of 
the reduction defined below (i.e., Theorem 2). 


Reduction. We give a lin- 


ear time reduction from the hla) — Yrla gro, q) A hla) A klar) 
emptiness problem for SDTAs 

to the satisfiability of sys- hla) — Yilan og) A hla) 

tems of CHCs. Let A = h(a) — Yrlar,o,q) A hlar) 

(S*,S?, pW) be an SDTA h(q) — Wteas (0, 4) 

with ya = Pir, Yi, Yr, Vea J F 

di, qr and q - structured a faise SE La) Aha) 


ables of type SẸ, ø be a struc- 
tured variable of type S¥, and h(q) be an uninterpreted predicate. We map A 
into the CHC system H4 formed by the CHCs shown on the right. 


Theorem 2 (EMPTINESS). Let A be an SDTA. Then, L(A) is empty if and only 
if Ha is satisfiable. 


6 From Logic to Automata 


In this section, we describe a reduction from the satisfiability problem of Mso-D 
to the emptiness problem of SDTAs, when the Mso-D formula y is a sentence 
in the following form: 


yp = Jipa n Viirma (2) 


where each data constraint of the formula 0, say r(fi(ti),..., fk(tk)), satisfies 
one of the following: 
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— ris unary (i.e., k = 1), or 
— r depends only on variables x1,...,2%, and at most one of the variables 
Yis- -Ym Le., Var(ti,... tk) C {21,.--,2n, yi}, for some i € [m]. 


Notice that 0 may contain other quantifiers, but the additional quantified vari- 
ables can occur only inside unary data constraints. Moreover, it is easy to see that 
this fragment is closed under positive Boolean combinations (i.e., conjunctions 
and disjunctions). 

This fragment strictly includes the Mso logic with data defined in [11] for 
data words, which only allows unary data constraints. Below we show that the 
added expressivity can be used to define and verify properties of a variety of data 
structures, including those from Examples 4 and 5, and infinite-state games. 

In our reduction, we first construct a standard finite-state tree automaton 
over a finite alphabet (Sect. 6.1), which we then convert to an SDTA (Sect. 6.2). 


6.1 Building the Enumerated Tree Automaton 


The first step in our reduction from Mso-D to SDTAs is to convert the Mso-D 
formula y of type (2) into a formula y’ in standard Mso by abstracting away all 
data constraints. We distinguish two types of data constraints. Global constraints 
refer only to the data of the existentially quantified variables x;; on a given data 
tree, once the interpretation of those variables is chosen, each global constraint is 
either true or false: it is a global property of the tree. Local constraints, instead, 
additionally refer to a variable, say z, that is not one of {21,...,2,}; even if the 
interpretation of {x£1,..., £n} is fixed, the truth of such constraints depends on 
the interpretation of z. Accordingly, we replace each data constraint in 0, say 
r(fi(t1),.--, fk(tk)), as follows: 


Global Constraints. If Var(ti,...,t~) C {£1,..., £n}, we replace all occurrences 
of the data constraint with a new propositional variable p. We denote by 
P1, ---, Pn all such propositional variables. 

Local Constraints. Otherwise, there is a unique variable z € Var(ti,...,t,) that 
is not one of {21,...,2n}. We then introduce a new free second-order vari- 
able C, and replace each occurrence of the above data constraint with the 
clause z € C. We denote by C),...,C; all the second-order variables intro- 
duced in this process. 


Besides the above substitutions, in the resulting Mso formula we leave variables 
£1,..-, Zn free, so that the models of the formula will carry the interpretation of 
those variables as extra bits in the node labels (recall the discussion on extended 
models in Sect. 3). We thus obtain the following Mso formula: 


gl Ë Yy., ym b. (3) 
Since y’ has no data constraints, we can take its data signature to be empty. 


Example 7. Consider the formula Ypst from Example 4 that defines BSTs using 
auxiliary data min and maz. Since it uses a single universal quantifier, it belongs 
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to the syntactic fragment (2). For the sake of simplicity, consider a stronger 
formula Yis forcing internal nodes to have two children (a.k.a. a full BST): 


def 


West = Wost A Vy. full_tree(y), where 
full_tree(y) = (leaf (y) > (y.left A y A y.right £ y)). 


Now, consider the following true property of full BsTs: the successor of an 
internal node is the left-most leaf in its right sub-tree. The following formula 
states the opposite of that property: 


Wsuce = 401, £2, T3. ((vat(1) < val(x2) < val(x3)) A 
aleaf (x1) A leaf (x3) A left_only_path(a1.right, ws), 


It is easy to see that ist A Wsuce is equivalent to a formula w in our fragment: 
dai, £2, £3 . Vy. ((val(z2ı) < val(x2) < val(x3)) A sleaf (x1) A leaf (x3) 


A left_only_path(x1.right, x3) A full_tree(y) 
A (y#y-left ? min(y)=min(y.left) A max(y.left) <val(y) : min(y)=val(y)) 
A (y#y.-right ? max(y)=max(y.right) A min(y.right) > val(y) : max(y) =val(y)). 


The conversion outlined above turns w into the following Mso formula: 
Vy. (p A nleaf (x1) A leaf (x3) A left_only_path(x1.right, x3) A full_tree(y) 
A (y £ y-left ?y € Ci: y€ C2) A (y A y-right 2? y € C3: y€ C4)), 
where proposition pı corresponds to the global constraint val(xı) < val(x2) < 
val(x3), the second-order variable Cı corresponds to the local constraint 


min(y) = min(y.left) A max(y.left) < val(y), and variables C2 — C4 correspond 
to the other data constraints in pet. 


We now apply the standard Mso construction to y’, leading to a bottom- 
up finite-state tree automaton Ay on the alphabet © = {0,1}"t"*', accepting 
all finite trees that represent interpretations satisfying y’. The alphabet is X 
because n +h + l is the total number of free variables in y’: n first-order vari- 
ables x;, h propositional variables p; (corresponding to global constraints), and 
l second-order variables C; (corresponding to local constraints). We recall the 
formal statement of this construction below, for more details see [40] and [8]. 


Theorem 3. For all Mso formulas y’ on the empty data signature, with free 
first-order variables x1,...,% ,, propositional variables p,,...,Pn, and second- 
order variables C1,...,Cı, there is a deterministic bottom-up tree automaton on 
the alphabet {0,1}"+"*! whose language consists of all extended trees T such 
that T = g. 


262 M. Faella and G. Parlato 


Simplifying Assumptions. To simplify the presentation of the following con- 
structions, we make two simplifying assumptions. First, we assume that all 
terms appearing in data constraints are variables, and not composite terms like 
x.left.right. Dropping this assumption is technically simple and omitted due to 
space constraints. Second, we assume that all connecting functions f appearing 
in data constraints correspond to fields in S. Sentences that satisfy the second 
assumption have a unique interpretation I, because they have no free variables 
and the connecting functions must be interpreted as the functions extracting the 
corresponding field from each node. We discuss how to remove this restriction 
in Sect. 6.3. 

We now establish a relation between X-trees accepted by Ay, and data trees 
on the data signature S defined by y. Denote by (a1,...,@n,b1,.--, bn, C1,---; C1) 
the generic element of X. Given a X-tree (T, o) and a variable z; in y’, we define 
node(o,x;) to be the unique node u € T such that the a; component of o(u) is 
1. In words, the function node picks the position in the tree where the X-tree 
activates the bit aj. 


Definition 2. Consider an Mso-D sentence p of the form (2) on the data 
signature S, and let I be its unique interpretation. We say that a X-tree (T,o) 
and an S-tree (T, A) are consistent iff for all nodes u € T the following hold: 


1. For alli € [h], let r2" (f#(a2),.- ae (af)) be the global constraint from p 
corresponding to the propositional variable p; from vy’. Recall that under the 
simplifying assumptions each a} is one of £1,...,£n, and each f? is one of 
the names of the fields of S. Then, o(u)(b;) = 1 iff the following holds 

d(r2”) (I(F})(node(o, a})), ---, I(ff*)(node(o, af)) ). 


2. For alli € [I], let r!°° (g1 (61), ..., g% (BF), gi(zi)) be the local constraint from 


i i 
p corresponding to the second-order variable C; from yp’. Recall that each 8? 


is one of £1,...,£n, and each gl (as well as gi) is one of the names of the 
fields of S. Then, o(u)(c;) = 1 iff the following holds 


(r°) (1(g3)(node(o, B})) , ... , I(gf*)(node(o, B¥)) , MgA) ): 


The following result states the fundamental relationship between y and Ay. 


Theorem 4. Lety be an Mso-D sentence of the form (2) on the data signature 
S, and let Ay be the corresponding tree automaton described above. For all data 
trees (T, A) with data signature S, the following are equivalent: 


1. it holds T*,1 = y, where I is the unique interpretation of p; 
2. there exists a tree (T,o) € L(A) s.t. (T,A) and (Tc) are consistent. 
6.2 Building the Symbolic Data Tree Automaton 


We now convert the tree automaton from the previous section into an SDTA that 
accepts all and only the data trees satisfying the original Mso-D formula y. 
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Intuitively, the SDTA mimics the behavior of the tree automaton, and in 
doing so, it enforces the data constraints contained in y. The information about 
which constraints should be true and which should be false at every node is 
encoded in the alphabet X = {0,1}"*"*! of the tree automaton. In detail, if 
(@1,---,@n,b1,...,bn,¢C1,---,) is a generic symbol from the alphabet, the b;’s 
encode the truth value of the global constraints, and the c;’s encode the truth 
value of the local constraints. However, the data on which to evaluate those 
constraints comes from different sources. The global constraints are evaluated 
only on the guessed data for the existentially quantified variables x1,...,%n, 
whereas the local constraints also access the data of the current node. 

Finally, the a; component of the alphabet encodes the actual position of 
each x; in the current tree (i.e., a; is 1 only in the node that is the interpretation 
of xi). So, when a; = 1 the symbolic automaton checks that the guessed data 
evaluation for x; corresponds to the data in the current node. 

Let Ay = (X, Q, F, A) be the tree automaton from Sect. 6.1, we now define 
the SDTA A, = (S, SS, YF, Y^). First, notice that the alphabet data signature 
S coincides with that of the original Mso-D formula. We then set the state data 
signature SÈ to {state : Q} U {id' : type | (id : type) € Si =1...n}, i.e., S? 
contains an enumerated data field representing the state of the tree automaton 
Ag’, and n copies of each data field in S. These copies are used to store the 
guessed data evaluations for the existentially quantified variables x; from (2). 
For a symbolic state q € L(S®) and i € [n], we denote by q[z;] the i-th projection 
of q on S, i.e., the evaluation that assigns to each field id in S the value qid’. 
The acceptance constraint Y? (q) is simply defined as q.state € F. 

Regarding the transition constraints Yô, we will focus only on the case of 
nodes with two children, since the other cases are similar. Let (s7,5,,a,s) be a 
transition in Ay, where a = (a1,...,dn,01,...,6n,c1,-.-,c1) E€ X. We add the 
following implicant to the transition constraint Yir: 


{ q.state = sı A q,.state = s, A q.state = s (4a) 
A A (ded =ale)]Ade)=aled) A A (led) =o) (4b) 
i€[n] {i| aj=1} 
A A [6 = > DOS) (lat ft... alat] A)| (4c) 
i€[h] 
A (=) > DEP) (aoo -alol og) } 
i€ [I] 


= Wir (Ql, dr, 0, q) : 
(4d) 


The above conjuncts can be explained as follows: (4a) mimics the state change 
in the discrete transition, the first part of (4b) states that the n copies of the 
data fields held by the symbolic automaton are uniform over the whole tree, 
the second part of (4b) additionally states that the i-th copy of the data fields 
coincides with the data o in the unique node where the discrete automaton 
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Mso formula (3) Mona cue an) 


Mso-D formula (2) ile parent CHC solver 


Fig. 1. Architecture of the prototype implementation. Dashed transformations are per- 
formed manually, but could be automated by an Mso-D parser. 


prescribes a; = 1, (4c) enforces the i-th global constraint rab in all nodes where 
the discrete automaton prescribes b; = 1, and finally (4d) enforces the local 
constraints when the c; component of the discrete alphabet is 1. 


Theorem 5. Let p be an Mso-D sentence of the form (2) and let A, be the 
corresponding SDTA described above. We have L(y) = L(A,). 


6.3 Supporting Auxiliary Data 


So far, we have assumed that all connecting function symbols f appearing in the 
data constraints correspond to fields in S. In other words, all data constraints 
refer to data fields that are present in the trees. However, our logic also supports 
connecting function symbols that do not correspond to fields in the data signa- 
ture. In that case, the interpretation is free to assign any value to f(u), for each 
node u in the data tree. Thus, the SpTa A, must accept a data tree if there 
exists an interpretation for those functions that satisfies the formula. To achieve 
this effect, let {fi }i=1...x be the set of connecting function symbols occurring in 
y and not corresponding to data fields in S, where f; has type nodes — data;. 
Define the extended data signature 


S =SU {fi ; datai yi=1...k- 
We enrich the state data signature of A, as follows: 
SÈ = {state : Q} U{name' : type | (name : type) € S',i=0...n}. 


Compared to the original definition from Sect. 6.2, we store an extra copy of 
the data fields, identified by index 0, representing the data in the current node. 
Moreover, all copies include the auxiliary data fields. It is straightforward to 
adapt the constraint W^ from Sect. 6.2 to support such auxiliary data fields. 


7 Implementation and Experiments 


We implemented a prototype toolchain supporting our framework as shown in 
Fig. 1. Instead of developing an Mso-D parser, we provide an Mso formula 
already in the form (3), and supply the data constraints and the data signature 
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for the formula in a separate file, directly in the SMT-LIB format. Next, we 
convert the Mso formula into an equivalent tree automaton, and in turn into a 
system of CHCs (as described in Sect. 5). We used Z3 v4.8.10 (64bit for Win- 
dows 10) [36] as the CHC solver, and MONA v1.4 [28] as the Mso-to-automata 
translator. The only new piece of code required by this implementation is the 
converter from the MONA tree automaton format to CHCs in the SMT-LIB 
language, which is a simple one-to-one textual transformation. For the exper- 
iments, we used a dedicated machine with 16GB of physical memory and an 
AMD Ryzen 7 2700X clocked at 3.7 Ghz, running Windows 10. 


7.1 Proving Properties of Tree Data Structures 


Consider the property of full BsTs described in Example 7, namely that the 
successor of an internal node is the left-most leaf in its right subtree. We sub- 
mitted to our tool the conjunction hst ^ Vsucc, Which would be satisfied only 
by a full BST where the successor of an internal node is not the left-most leaf 
in its right subtree (property SUCCESSOR). Once the formula is converted into a 
system of CHCs, the SMT solver proves satisfiability of the system (and hence, 
unsatisfiability of the original formula) in less than a second. 


Table 1. Mso-D satisfiability experiments (Sect. 7). 


Example Mso-D property Number of CHCs Result Time (Z3) 


RBTs BLACKHEIGHT 76 unsat 0.3” 

Full Bsts SUCCESSOR 945 unsat 0.2” 
STEPMOTHER(1.0) sat 3’ 
STEPMOTHER(1.5) sat 7 41” 

Cinderella STEPMOTHER(1.8) 23,387 sat 11’ 56” 
STEPMOTHER(2.0) unsat 1h 54’ 
STEPMOTHER(3.0) unsat 1h 16’ 


For RBTs, we consider the property that there exists an internal node whose 
black height is less than half of its height (property BLACKHEIGHT). Our app- 
roach can prove that this property is unsatisfiable on RBTs in less than a second. 
Both experiments are summarized in Table 1. 


7.2 Solving an Infinite-State Game 


Our approach can be used to solve certain infinite-state games, such as the 
Cinderella-Stepmother game [1,3]. In this software synthesis benchmark, two 
players share n buckets, each holding up to c units of water. The buckets are 
positioned in a circle and are initially empty. The game is played in a discrete 
sequence of turns: when it is Cinderella’s turn, she can empty two adjacent 
buckets. When it is the Stepmother’s turn, she can pour water into any subset of 
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buckets, for a total of 1 unit of water. If any of the buckets overflows, Stepmother 
wins. If the game continues forever with no overflows, Cinderella wins. It can 
be described as an infinite-state turn-based two-player game of infinite duration 
with a safety objective (for Cinderella). Notice how not only the game state-space 
is infinite, but so are the moves available to Stepmother at each step. 

Given values for the parameters n and c, we build an Mso-D formula yp, . 
that is satisfiable if and only if Stepmother wins the game with those param- 
eters. The formula holds true on finite trees representing winning strategies of 
Stepmother. In other words, a tree that satisfies y tracks all possible game plays 
where Stepmother pours water according to a specific deterministic plan and 
Cinderella takes all possible moves. Due to space constraints, further details on 
the encoding are deferred to an extended version of this paper. 

In our experiments, we fixed the number of buckets n to 5 and checked the 
satisfiability of ~s5,. for various values of the capacity c. In Table 1, we denote by 
STEPMOTHER(c) the formula ys5,-. Bodlaender et al. [3], among their comprehen- 
sive analysis of this game, show that for n = 5, the minimum capacity for which 
Cinderella wins the game is c = 2 (see Table 1 in [3]). Their proof for this case is 
manual. Other cases were settled with the help of an SMT solver, using invari- 
ants based on non-trivial insights on the reasonable strategies of Stepmother. 
On the contrary, our encoding based on Mso-D employs only the rules of the 
game, with no further constraints on the players’ moves. 

Our setup successfully solves the game for various values of the capacity. The 
time needed by the SMT solver is very uneven, ranging from three minutes to 
a maximum of almost two hours for c = 2. That is explained by the fact that 
c = 2 is the hardest case for Cinderella to win the game. Therefore, proving 
that property requires building a complex winning strategy for Cinderella. Such 
strategy is embedded in the proof of unsatisfiability, and extracting it would 
be an interesting exercise beyond the scope of the present paper. When the 
capacity moves away from the critical threshold in either direction, the solving 
time visibly decreases. 


8 Related Work 


Our work is related to many works in the literature in different ways. In addition 
to the works already mentioned in the introduction, here we focus on those that 
seem to be closest to the results presented in this paper. 


Automata on Infinite Alphabets. Symbolic finite automata (SFAs) [43] and sym- 
bolic tree automata (STAs) [42] replace the traditional finite alphabet by a 
decidable theory of unary predicates over a possibly infinite domain. They pred- 
icate over data words and trees, but they do not support storing, comparing, 
or combining data from different positions in the model, as that leads quickly 
to undecidability. Symbolic register automata [10] extend SFAs by storing data 
values in a set of registers. They retain decidability of the emptiness problem by 
only allowing equality comparisons between registers and input data. 
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Recently, Shimoda et al. [38] introduced symbolic automatic relations (SARs) 
as a formalism to verify properties of recursive data structures. While both 
Mso-D and SARs rely on CHCs as a backend, they differ in motivation and 
purpose. SARs aim at encoding specific properties of interest in a way that 
reduces the verification effort of the underlying CHC solver, whereas Mso-D is 
intended to provide a high-level language that can be compiled into CHCs. 


Decidable Logics with Data Extensions. In [11], D’Antoni et al. design an exten- 
sion of WS1S on finite data sequences where data can be examined with arbitrary 
predicates from a decidable theory, similarly to the capabilities of SFAs. They 
develop custom representations and algorithms to efficiently solve the satisfi- 
ability problem by reducing it to the emptiness of SFAs. Colcombet et al. [7] 
study a decidable fragment of Mso with data equality, called rigidly guarded 
MSO™, where data equality constraints of the type val(x) = val(y) can only 
be checked on a single y-position for each x-position. Constraint LTL [13] is 
another decidable logic for infinite data words, where data in different positions 
can be compared for equality and for order. Segoufin [37] provides a wider, albeit 
slightly outdated, perspective on decidable data logics and automata. 


Logics for Automated Reasoning About Heap-Manipulating Programs. Similarly 
to Mso-D, STRAND [32] is a logic that combines Mso on tree-like graphs with the 
theory of integers. Although STRAND has a fragment that admits a decidable and 
efficient decision procedure, it is not sufficiently expressive to state properties 
of classic data structures such as the balancedness of a tree. Also it does not 
allow solving the Cinderella-Stepmother game. DRYAD logic [33] is a quantifier- 
free logic supporting recursion on trees, that is deliberately undecidable but 
admits a sound, incomplete, and terminating validity procedure, based on natural 
proofs [30]. DRYAD recursive definitions could be expressed by our SDTAs that 
uses the theories of integers and integer (multi)sets; vice versa, proof techniques 
developed for DRYAD could be used to check the emptiness of (some) SDTAs. 


Infinite-State Games. Many infinite-state reachability games like the Cinderella 
game of Sect. 7.2 can be encoded in Mso-D, including all the reachability games 
used in the experiments performed by Farzan and Kincaid [17]. In that paper, 
the authors present a fully automated but incomplete approach for the (undecid- 
able) class of linear arithmetic games. Our approach is incomparable to theirs: 
on the one hand, the approach proposed in Sect. 7.2 does not extend to all linear 
arithmetic games, because it assumes that one player has a bounded number of 
moves; on the other hand, we could easily handle games whose transition rela- 
tions is not limited to linear arithmetic. Another related approach is presented 
by Beyene et al. [1], who reduce infinite-state games to CHCs extended with 
existential quantifiers. Such existential quantifiers are handled with the help of 
user-provided templates. 
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9 Conclusions and Future Directions 


We presented Mso-D and SDTAs as extensions of MSO on trees and finite-state 
tree automata, respectively, for the purpose of reasoning about data trees. We 
have shown that these are versatile and powerful models for reasoning about 
relevant problems, outside the realm of classical automata theory. We believe 
that the key idea, namely separating the structural properties of interest from 
the data constraints, makes it easier to reason about challenging problems. 

Several future directions are interesting. First, we may want to investigate 
theoretical questions about SDTAs, such as closure properties, and whether we 
can reduce classical automata decision problems to solving a system of CHCs. 
In addition, it will be interesting to identify more expressive Mso-D fragments 
that can be reduced to the emptiness of SDTAs. 

Secondly, we believe that our results have applications to other areas in veri- 
fication. We have conducted preliminary studies defining extensions of LTL with 
data (LTL-D) and, by using the framework developed in this paper and closure 
properties of SpTAs, obtained LTL-D model checking algorithms for (recursive) 
programs using scalar variables. Our approach is limited to finite runs only, so it 
will also be interesting to see how we can extend it to infinite trees and games. 

Finally, (enumeration) trees can be used to encode executions of different 
classes of automata, such as concurrent pushdown automata or concurrent queue 
systems. It will be interesting to see if our approach can help lift the results of [31] 
to the corresponding class of concurrent programs. 
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Abstract. Most methods of data transmission and storage are prone to 
errors, leading to data loss. Forward erasure correction (FEC) is a method 
to allow data to be recovered in the presence of errors by encoding the 
data with redundant parity information determined by an error-correcting 
code. There are dozens of classes of such codes, many based on sophisti- 
cated mathematics, making them difficult to verify using automated tools. 
In this paper, we present a formal, machine-checked proof of a C imple- 
mentation of FEC based on Reed-Solomon coding. The C code has been 
actively used in network defenses for over 25 years, but the algorithm it 
implements was partially unpublished, and it uses certain optimizations 
whose correctness was unknown even to the code’s authors. We use Coq’s 
Mathematical Components library to prove the algorithm’s correctness 
and the Verified Software Toolchain to prove that the C program cor- 
rectly implements this algorithm, connecting both using a modular, well- 
encapsulated structure that could easily be used to verify a high-speed, 
hardware version of this FEC. This is the first end-to-end, formal proof 
of a real-world FEC implementation; we verified all previously unknown 
optimizations and found a latent bug in the code. 


Reusable 


Keywords: Reed-Solomon coding - functional correctness 
verification - interactive theorem proving 


1 Introduction 


As part of a larger project of ensuring reliable networks, we are applying for- 
mal functional-correctness verification to network components: machine-checked 
proofs that C programs (and, eventually, P4 programs and FPGAs) satisfy their 
high-level functional specs. When attackers may gain access to the source code 
and analyze it for bugs and vulnerabilities, we want something stronger than 
software testing or conventional static analysis: we want a proof that the soft- 
ware works no matter what input is provided, no matter how dastardly. And we 
want a proof that the program works correctly, not merely that it does not crash. 

One key to reliable networking is forward erasure correction (FEC): in a 
portion of the network in which packets are being lost, add extra parity packets 
that allow reconstruction of lost packets without retransmission. We use an FEC 
© The Author(s) 2022 
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algorithm and C program that have been in active use for over 25 years. The 
program does many clever and not-so-clever things, and comments indicate that 
some parts are not fully trusted even by its original authors. 

This FEC is a particularly intriguing target for verification because its high- 
level correctness depends on fairly intricate mathematics—we must reason about 
polynomials, matrices, and finite fields. Meanwhile, the C implementation’s cor- 
rectness relies on C programming features and careful manipulation of pointers 
in memory. Thus, we need a tool that can reason at both of these levels. We use 
the Coq proof assistant, utilizing the Mathematical Components [10] (Math- 
Comp) library for the high-level reasoning and the Verified Software Toolchain 
[6] (VST) for the C program verification.! Our VST specs are written using 
separation logic, in which we specify precisely what memory is read from and 
written to as well as all external effects (I/O, system calls, etc.). This gives us 
a blanket containment property: the C function is guaranteed to only interact 
with the outside world (memory, OS, etc.) in ways stated in the spec. 


Contributions 


1. We show that formal verification can prove functional correctness for a C 
program that uses both intricate mathematics and clever C programming 
tricks. This is the first formally verified FEC instance that connects a high- 
level mathematical specification with an efficient, optimized implementation. 

2. We formally prove the correctness of a particular version of Reed-Solomon 
erasure coding, parts of which were unpublished. Further, we prove that an 
optimization in the C code, a heavily restricted form of Gaussian elimination, 
is sufficient for this application; this was unknown to the code’s authors. 

3. For the first time, we utilize both MathComp and VST in the same project. 
The two libraries differ greatly in types, tactics, and styles of proof; we use 
both by separating our functional specification into two layers in a process 
that we expect can be automated. 

4. We demonstrate our methods on a real-world C program, verified as is, except 
for two tiny changes, one of which is to fix a latent bug that we discovered. 


1.1 Forward Erasure Correction 


When transmitting data over a noisy channel, one can use an error-correcting 
code—adding generalized “parity” bits, sending the data across the channel, and 
then decoding to recover the data if any errors occurred; this technique is known 
as forward error correction. In an erasure code, the locations of the missing data 
are known to the decoder; this allows correction of more errors. 

FEC is useful in any network where non-congestion-related packet loss is fre- 
quent and retransmission is infeasible or expensive. For instance, wireless networks 
are especially prone to packet loss due to interference or jamming. More generally, 


1 Our Coq proofs and an appendix with expanded definitions, specs, and proofs can 
be found at github.com/verified-network-toolchain/Verified-FEC/tree/cav22. 
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errors in network devices due to firmware bugs, misconfiguration, or malware can 
lead to dropped packets. In these cases, retransmission with TCP is not desirable, 
because TCP will incorrectly interpret these losses as congestion, grinding the net- 
work to a halt. Similarly, applications such as video or audio streaming, often run 
over UDP, cannot handle retransmission without additional work; moreover, the 
latency of retransmitting is often too high. Thus, FEC continues to be important 
in ensuring network reliability. 

The algorithm we consider is based on Reed-Solomon [24] coding; it groups 
the input bits into symbols representing elements of a finite field and interprets 
the data as a polynomial over this field. Reed-Solomon codes are particularly 
useful for correcting burst errors—errors that occur sequentially—since n + 1 
consecutive bit errors can only affect at most 2 symbols of length n. Reed- 
Solomon decoders can be quite complex, both in theory and implementation; 
many mechanisms have been developed for this purpose. Nevertheless, these 
codes have been heavily used in applications such as CDs, DVDs, Blu-Ray disks, 
hard drives, and satellite communications [27]. 

In the early 1990’s, there was a flurry of activity in Reed-Solomon erasure 
coding. McAuley described [18] and patented [19] a method for FEC based on 
Reed-Solomon coding for use in network transmission. Rabin [23] described an 
alternate technique for information dispersal, which was further developed by 
Preparata [22], Schwarz [25], and others, mainly for use in RAID storage sys- 
tems; Plank [21] provides a tutorial and explanation. McAuley later wrote a 
C implementation of FEC for network packets based on this second technique 
with several further modifications. We will refer to the algorithm implemented 
by McAuley’s C code as the Reed-Solomon Erasure (RSE) code. 

Bellcore (now Peraton Labs) has employed this FEC algorithm (and imple- 
mentation) successfully in numerous networking projects to support resilient 
communication, most recently in the DARPA EdgeCT program. McAuley’s 
implementation includes many optimizations and modifications to the core algo- 
rithm, including some whose correctness was unknown to the code’s authors 
(Sect. 5.2). It had one bug that we corrected (Sect.6.6). We have produced a 
formal, machine-checked proof that this FEC implementation correctly recovers 
data in the presence of erasures—we proved the algorithm correct and proved 
that the program correctly implements it. 


1.2 Coq and VST 


We use the Coq interactive theorem prover, in which the user states and proves 
theorems in a higher-order dependently typed logic. These theorems are mechani- 
cally checked by the Coq kernel. Proofs can be (semi)automated by Coq’s built-in 
tactics and by user-defined tactic programming. 

Coq has been widely used in program verification and formalized mathemat- 
ics. One particularly important verification effort is CompCert [15], an optimiz- 
ing C compiler written and proved correct in Coq. That is, CompCert comes 
with a formal proof that the assembly code generated by the compiler preserves 
the semantics of the input C program. 
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VST is a program logic and set of proof automation tools that enables the 
verification of C programs in Coq. Using VST, one can write a specification 
for each C function, stating its preconditions (properties that must hold before 
the function is run) and postconditions (properties that must hold when the 
function finishes). These properties can involve both C-specific assertions (e.g., 
about the contents of memory) and arbitrary statements in Coq’s logic. Then, 
using custom tactics and proof automation included with VST, the user can 
prove in Coq that the C function satisfies its specification. 

VST’s program logic is proved sound, with a machine-checked proof in Coq. 
When we prove that McAuley’s RSE correctly reconstructs missing packets, the 
soundness proof guarantees that the assembly-language program generated by 
the CompCert C compiler really has that behavior. VST is formally proved 
sound for CompCert, but not for gcc or clang. VST is intended (and believed) 
to be sound for gcc/clang; its program logic has stricter rules than would be 
necessary only for soundness w.r.t. CompCert. For example, for signed integer 
arithmetic, where CompCert is (unfortunately) a refinement of C11 (CompCert 
wraps while C11 is u.b.), VST imposes the (more abstract) C11 spec. Thus, 
VST proofs about C programs also provide useful (though less foundational) 
assurance about programs compiled with other compilers. 

While conventional separation logics have spatial conjuncts that are pred- 
icates just on memory resources, VST’s separation logic has spatial conjunct 
predicates on both memory locations and the outside world, which one might 
affect by performing IO or making a system call [17, Section 3]. In our project, 
none of the VST funspecs mention the outside world in the precondition or 
postcondition; this means, like any Hoare triple in separation logic, that those 
functions can neither access nor modify that resource. 

Proving that a C program satisfies a specification is quite challenging. We 
must prove low-level correctness properties (the program does not crash, all 
memory accesses are valid, etc.) and provide loop invariants and intermediate 
proofs to prove high-level properties (that the function satisfies its spec). Though 
VST’s proof automation is able to hide some of this complexity, many parts must 
still be done manually. Dealing with heavily optimized C code that was never 
intended to be verified makes these tasks substantially more complicated. 

Section 2 describes the RSE algorithm, which differs in several ways from 
the technique described by Rabin, Preparata, and Schwarz. Section 3 explains 
the different verification tasks, including defining a functional model of the algo- 
rithm and showing with VST that the C code implements this model. Section 4 
describes the functional model, Sect. 5 discusses the verification of this functional 
model, including the proof that the algorithm correctly reconstructs missing 
packets, and Sect. 6 discusses the proofs about the C code. Section 7 and Sect. 8 
give related and future work. 


2 The RSE Algorithm 


Like all Reed-Solomon codes, the algorithm treats input symbols as elements 
of a finite field and interprets the input sequence of words as the coefficients 
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of a polynomial over this field. However, both the C implementation and the 
RSE algorithm are more naturally described using linear algebra and matrix 
operations. 

Let D be the input data, which consists of k packets, each of length at most 
c bytes. If any packets are smaller, fill in the missing entries with zeroes so that 
D is a k x c matrix. Let h be the number of parity packets we wish to append. 
We will be able to reconstruct up to h total packet-drops. 

Let kmar and hmaz be (fixed) parameters such that k < kmax and h < hmaz- 
Let Mmax = hmaz + kmar (Maximum number of packets per batch) and let F be 
a field such that |F| > nmaz- 


2.1 Initialization 


First, we generate a Vandermonde matrix of size Amaz X Nmaz; that is, take Nnmaz 
distinct nonzero elements of F, denoted as a1,Q2,...,Qn,,,,, and generate the 
following matrix: 


1 1 1 
ay a2 Onmazx 
a? ae (a4 
V = 1 2 Tirra 
Rmaz—1l „hmar—1 h —1 
ay" Q2 oo Mee 


Then, we run Gaussian elimination (see Sect. 4.2) on this matrix to get the 
row-reduced form, which consists of the identity matrix followed by W, the 
hmaz X kmax weight matriz: 


Gaussian elim 
ee ee oe 


w] 


2.2 Encoding 


The encoder receives as input the data D, a kxc matrix. Let W’ be the submatrix 
of W consisting of the first h rows and the first k columns. The encoder computes 
P = W'D, an h x c matrix. These are the parity packets that are sent (along 
with the original data) to the receiver. 


k 
P 
y" w 


2.3 Decoding 


The decoder is significantly more complicated. However, if no packets are lost, 
the decoder simply returns the first k packets; only if packets are dropped does 
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the following algorithm need to be invoked. To give some intuition, we will first 
present the decoder for a special case before giving the full algorithm. 

Since this is an erasure code, we know the locations of the missing packets; 
we also require that the total number of missing packets is at most h. 

For a special case, suppose that the last h data packets were lost and all 
parity packets were received. We can think of the original data D as a block 
matrix consisting of Dı, the (k — h) x c matrix of the received data, and Də, 
the h x c matrix of the lost data. Similarly, we can split the h x k matrix W’ 
(from the encoder) into Wj, consisting of the first k — h columns of W’, and W3, 
consisting of the rest. 


k-h h , 
a a —~ 
nf Wi Ws... k—h Dı 
W = D= 
; : , h Dy 


P = W'D = W! Dı + W}D,» 


From this, the missing data Də can be computed using P, Dı, and the parts of 
W’, all of which are known: 


Dz = (W3) + (P — Wi Dı) (2) 


The general case is similar, but we need to define the relevant submatrices more 
carefully. Let zh be the number of missing data packets. We must have received 
at least zh parity packets (or else the total number of missing packets is more 
than h). Let P’ be the submatrix of P consisting of the first zh received parity 
packets. This time, we let W{ be the zh x (k — zh) submatrix of W’ whose rows 
consist of the locations of the zh found parity packets and whose columns consist 
of the k — zh locations of the received data. Let W3 be the zh x zh submatrix 
of W’ whose rows consist of the locations of the zh found parities and whose 
columns consist of the locations of the missing data. Finally, Dı and Də are still 
defined such that Dı contains the received rows and Də contains the missing 
rows. This time, these rows need not be contiguous. These definitions reduce to 
the previous ones in the special case considered above. 

By the definitions of the above submatrices, Eq.2 still holds (except that 
we replace P with P’), so we can find the missing data Də by computing 
(W3)-1(P’ — W1 D1). 

This decoder is only well defined if W3 is invertible. W3 is dynamically chosen 
based on the found parities and missing data, so we must show a stronger claim 
that any square submatrix up to size h x h of W is invertible. Proving this was 
the crucial step in the functional model verification, described in Sect. 5.1. 

As noted in Sect. 1.1, this algorithm is a modified version of the technique 
described by Rabin, Preparata, Schwarz, and others. The main difference is 
the use of the static weight matrix in RSE; all the others assume that the 
Vandermonde matrix has dimensions h x (k + h) and exactly h packets are 


278 J. M. Cohen et al. 


lost. Thus, their needed correctness property is weaker; it requires only that any 
h x h submatrix of W is invertible. 


3 Verification Structure 


The verification consists of two distinct tasks: we prove that the RSE algorithm 
is correct (i.e., the decoder recovers the original data in the presence of errors) 
and that the C program truly implements this algorithm. These two tasks are 
quite different; the first is purely mathematical and involves proofs about linear 
algebra, while the second involves implementation details and C-language veri- 
fication conditions. To separate these tasks and make the proofs more modular, 
we define a functional model, a purely functional program written in Coq that 
implements the RSE algorithm. This functional model is inefficient but easy to 
reason about in Coq. Then we use VST to prove that the C program refines this 
functional model. Finally, we compose these two parts to produce a formal proof 
that the C implementation of this erasure code is correct. 

Separating the functional specification and the VST proofs is a common 
paradigm; it has been used to verify SHA-256 hashing [4], HMAC-DRBG crypto- 
graphic random number generation [28], and floating-point numerical program- 
ming [5]. This approach provides a clear formal specification independent of 
any implementation; we can reuse the same functional model and its correct- 
ness proofs to verify another implementation of this algorithm (for instance, an 
FPGA version). It makes verification more flexible; we can prove further prop- 
erties later simply by adding additional lemmas about the functional model. It 
makes the proofs shorter and clearer; we can tell which parts are needed for the 
core correctness proofs and which are implementation-specific. Finally, it per- 
mits a separation of expertise: the person who proves mathematical theorems 
about the functional model need not know anything about C programming or 
VST verification, and the person who proves C refinement in VST need not know 
why the functional model accomplishes the high-level goals. 

Our functional model was written in Gallina, the functional programming 
language embedded in Coq, using the Mathematical Components (MathComp) 
library for formalized mathematics. MathComp contains definitions and theo- 
rems about groups, rings, fields, vector spaces, matrices, polynomials, graphs, 
and other mathematical objects. 

In fact, we define two functional models—a high-level version uses Math- 
Comp’s abstract and dependent types of matrices, polynomials, and the like, 
while a low-level version uses concrete types such as list (list byte), which VST 
can use to represent memory contents. Translating between these types is non- 
trivial (because of all the dependent types in MathComp), so we separate the 
type conversion proofs from both the high-level mathematical reasoning and 
the low-level VST refinement proof. This makes the proofs more modular and 
helps to improve the readability of the resulting formalization. The translation 
is largely mechanical and we expect that it could be automated; we focus on the 
high-level functional model and the VST refinement proofs. 
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4 Functional Model 


4.1 The Encoder and Decoder 


We translate Eq. 1 into the language of Coq/MathComp: 


Definition encoder (h k c max_h max_n : nat) (Hh: h <max_h) (Hk: k <max_n) 
(weights : ’M[F]-(max_h, max_n)) (input : ’M[F]-(k, c)) := 
(mxsub (fun (x : Ih) = widen_ord Hh x) 
(fun (x : lk) = rev_ord (widen_ord Hk x)) weights) xm input. 


'M[F]-(x, y) denotes a matrix of size x x y over field F and xm denotes matrix 
multiplication. The type 'l-n represents an ordinal, a natural number in the range 
(0, n—1]. The encoder takes in the parameters h, k, c, hmaz, and Nmax (all defined 
as in §2), the hmaz X Nmax Weight matrix, the k x c data matrix, and proofs that 
h and k are bounded appropriately. mxsub creates a submatrix from an input 
matrix by selecting rows and columns via user-specified functions. widen_ord is 
needed to handle some dependent type casting; it has no computational content 
and can be ignored. Finally, rev_ord selects the “opposite” ordinal; for x : 'I_k, 
rev_ord x = k — x — 1. Therefore, this function selects the first h rows and the 
last k columns (in reverse order) of the weight matrix and multiplies this by 
the input. This differs from the algorithm in Sect. 2.2, which selects the first k 
columns. The overall algorithm’s correctness is not affected as long as we choose 
the matrices W{ and W; in the decoder to be consistent, but this change makes 
the model consistent with the C implementation (see Sect. 6.2). 

The decoder (Eq. 2) can be similarly translated into MathComp; we omit the 
full definition, but note that we defined the decoder more generally than needed: 
it is defined over any field and over any Vandermonde matrix on distinct elements 
of that field. 


4.2 Gaussian Elimination 


Gaussian elimination, or row reduction, is a well known algorithm in linear alge- 
bra for solving systems of linear equations, finding matrix inverses, and calculat- 
ing determinants. The C code includes an implementation of Gaussian elimina- 
tion, used to row-reduce the Vandermonde matrix to produce the weight matrix 
and to invert W3 in the decoder. Thus, we need to define a corresponding func- 
tional model. 

Gaussian elimination proceeds by applying a sequence of elementary row 
operations—swapping two rows, multiplying a row by a scalar, and adding a 
scalar multiple of one row to another row—to a matrix until it is in row-echelon 
form, which for full-rank matrices (including all relevant matrices in this appli- 
cation) means that the left hand side becomes the identity matrix. Crucially, 
these row operations preserve invertibility because each corresponds to left mul- 
tiplication by an (invertible) elementary matrix. 

The order of the row operations may vary; Algorithm 1 describes one concrete 
implementation of Gaussian elimination (we use 0-indexing to be consistent with 
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ALGORITHM 1: GAUSSIAN ELIMINATION 


On input A, an m x n matrix: 
r—0; cH 0 
while r < m and c < n do 
if for all i such that r < i < m, Ai, = 0 then 
c—c+1 
else 
i — the first index s.t. r < i < m and Aj. £0 
Swap rows r and 2 


For all 0 < j < m, if Aj # 0, multiply row j by Ae 
For all 0 < j < m, j Æ r, if Aj c £0, subtract row r from row j 
rer+1l; cHc+l 

end if 


end while 

for r = 0 to r = m — 1 do 
Let c be the index of the first nonzero entry in row r if one exists 
Multiply row r by Ar? 

end for 


MathComp). While translating this into MathComp is largely straightforward, it 
turns out that the C program does not actually implement Algorithm 1. Rather, 
rows are never swapped and at each iteration, all entries in column c must be 
nonzero. 

The following excerpt from the C code, with the original comments, shows 
the error checks to ensure this condition. The code is mainly interesting for the 
error checks and comments, but we briefly detail how it works: the while guard 
value never changes; instead for current column k, the code iterates through 
rows w. The second conditional checks if matrix element (w, k) is nonzero for 
swapping (but returns an error because swapping is not implemented), while the 
first conditional breaks out of the loop with an error when w has reached the 
last row. 


while («(q — k) == 0){ /x if zero */ 
if (++w == i_max){ 
return (FEC_LERR_TRANS_FAILED); /x failed «/ 


} 
if («(p + (w * j-max) + j-max — 1 — k) != O){ 
/* swap rows */ 
return (FEC_LERR_-TRANS_SWAP_NOT_DONE); /* Not done yet! «/ 


} 
} 


The “swap rows” and “Not done yet!” messages suggest that the authors 
intended to (eventually) implement the full algorithm. The error checks indicate 
that the authors were not sure if these errors could be triggered. 
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We will call this algorithm “Restricted” Gaussian elimination (Algorithm 2). 
Once again, defining this function in MathComp is not difficult, but proving 
that this limited form of Gaussian elimination suffices was a major part of the 
functional model verification (Sect. 5.2). 


ALGORITHM 2: RESTRICTED GAUSSIAN ELIMINATION 


On input A, an m x n matrix: 


p0 

while r < m do 
For all 0 < j < m, if Aj, = 0, return ERROR 
For all 0 < j < m, multiply row j by Aa 


For all 0 < j < m, j # r, subtract row r from row j 
rer+1 

end while 

for r = 0 to r = m — 1 do 
Multiply row r by Ay} 

end for 


4.3 Field Operations 


The encoder, decoder, and Gaussian elimination work over any field, but the C 
implementation uses the field GF(2°), which we must define. Mathematically, 
this field is isomorphic to F2[z]/(1+2?+23+a++.2°). That is, the elements of 
this field are polynomials of degree at most 7 with coefficients in Fə (the field of 
two elements), and all operations are performed modulo 1 + £? + z? + zt + zë. 
The choice of Fə is important; it allows us to represent polynomials as sequences 
of bits. Since the polynomials are of degree at most 7, all field elements can be 
represented as bytes. 

This field and its construction are well understood; while MathComp did not 
include the construction of finite fields via quotients, we were able to define and 
prove general results about primitive polynomials and the finite field’s construc- 
tion without much issue. Then, we can prove correct the method the C code uses 
to populate the lookup tables used to compute in this field (Sect. 6.4). 

One difficulty in using this field is the difference between the polynomials we 
used to define the field and the bytes that we would like to represent as field 
elements. To avoid manually converting everywhere, we defined another field 
structure directly on the byte type and used Coq’s Canonical Structures. 


5 Verifying the Functional Model 


5.1 Decoder Correctness 


To prove the RSE algorithm correct, we need to prove that the decoder actually 
reconstructs the original packets. That is, if the data and parity packets that 
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were marked as “received” are correct and there are at most h missing packets, 
then running the decoder on the received packets should recover the original 
data. We state this in Coq below: 


Theorem decoder_correct: V (h xh : nat) (Hh: xh <h) (data : 'M[F]_(k, c)) 
(input: ’M[F]_(k, c)) (parities: ’M[F]_(h, c)) (missing_packets : seq 'I_k) 
(found_parities : seq 'l-h) (Hhh: h <max_h) (x_h: 'I-h), 

(* Only the rows in [missing_packets] are incorrect *) 
(Y (x: 'Lk) (y: 'Lce), x \notin missing_packets — data x y = input x y) > 
(« All found parity packets were produced by the encoder x) 
(V (x: Lh) (y: 'L-c), x \in found_parities — 
parities x y = (encoder Hhh k_leq_n weights data) x y) > 
(x We have xh unique missing packets and found parities «) 
uniq missing_packets —> 
uniq found_parities —> 
size missing-packets = xh — 
size found_parities = xh > 
(x Then, the decoder recovers the original data x) 
decoder xh input parities missing_packets found_parities Hhh x_h = data. 


This theorem is expressed entirely in terms of MathComp matrices and opera- 
tions; it does not rely on the C implementation at all. Its proof requires two main 
tasks: showing that W; is invertible and proving that the sequence of operations 
in the decoder is sufficient to recover the original data. The second task is fairly 
straightforward; we compare the matrices elementwise. Thus, the main challenge 
comes from proving the invertibility of the submatrix W3. 


Proving the Invertibility of W}. Recall that W3 is a dynamically chosen 
submatrix of W, the right submatrix of the row-reduced Vandermonde matrix 
V. Therefore, we want to prove the following theorem (any_submx_unitmx): 


Theorem 1. Let V be an m x n row-reduced Vandermonde matrix on distinct 
elements. Let m < n and z < min(m,n — m). Let Y be the submatrix of V 
formed by taking z rows of V and z of the last (n — m) columns of V. Then Y 
is invertible. 


Formally proving this theorem in Coq is quite complicated, partly because Math- 
Comp does not include many of the definitions and results that we need. Namely, 
we need to define and prove properties about row operations and Vandermonde 
matrices, including the following well-known property (vandermonde_unitmx): 


Theorem 2. Let V be ann xn Vandermonde matrix on distinct nonzero ele- 
ments. Then V is invertible. 


The proof relies on the fact that a degree n polynomial with n + 1 zeroes is 
identically zero, a fact already included in MathComp. This marks the only 
direct use of polynomial properties (other than in the finite field construction); 
the rest of the results are purely based on linear algebra. 

Note that the only property we required of the weight matrix W was that 
every z X z submatrix is invertible. Row-reduced Vandermonde matrices satisfy 
this property, but any other matrix that satisfies this property could be used, 
and the encoding-decoding scheme would still be correct. 
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5.2 Gaussian Elimination 


Proving full Gaussian elimination (Algorithm 1) correct is fairly standard 
(though nontrivial to formalize completely in Coq), since the algorithm is very 
well-understood. 

The real challenge is to determine the conditions under which RGE (Algo- 
rithm 2) will return the same result as Algorithm 1. It is easy to see that if the 
ERROR case is never reached, then the two algorithms are equivalent. But it is 
not at all obvious how to avoid triggering the error. Invertibility is a necessary 
but quite insufficient condition; for instance, the restricted algorithm fails on 
diagonal and triangular matrices. Therefore, we had two tasks: determine the 
class of matrices for which RGE works correctly and prove that the matrices 
used in the RSE algorithm are in this class. 

For the first task, we needed to determine when certain elements will be 
zero or nonzero at a given step in Gaussian elimination. This is difficult, since 
the elements are constantly changing; instead, we transformed the condition 
into a statement about the invertibility of certain submatrices, since Gaussian 
elimination preserves invertibility. 

During the rth step of Gaussian elimination (assuming no error was reached), 
the r x r upper-left submatrix is a diagonal matrix with nonzero elements along 
the diagonal; all other elements in the first r columns are zero. With this, we 
defined the submatrix C% (for k < r) as the submatrix of A consisting of the first 
r rows and the first r + 1 columns except column k. Then, for k < r, Akr #0 
exactly when C% is invertible (we prove this by showing that the rows of C% 
are linearly independent). We can do something similar for k > r; this time we 
consider R}, defined to be the submatrix of A consisting of the first r+1 columns 
and rows {0,1,...r—1,k}. Similarly, Rf is invertible iff A, 4 0. We will say 
that A is strongly invertible if, for all 0 < r < m, Cy is invertible for all k < r 
and Rj, is invertible for all k > r. Finally, we prove that RGE is equivalent to 
full Gaussian elimination iff input A is strongly invertible. 

Note that this condition requires a particular set of m“ submatrices of the 
input m x n matrix to be invertible, quite a difficult condition to satisfy. How- 
ever, in this application, Gaussian elimination is applied to only two kinds 
of matrices: the matrices W, in the decoder and a Vandermonde matrix on 
grmae—? | x, 2,1 (where x is the primitive element of the field). The strong 
invertibility of each ultimately follows from properties of Vandermonde matrices: 
the result for the first matrix follows from Theorem 1, while the result for the 
second is harder to show, but ultimately follows from repeated applications of 
Theorem 2 and use of the fact that the field elements are consecutive powers of 
the primitive element. With this, we proved the previously unknown result that 
RGE suffices for this application and that the errors shown in Sect. 4.2 are never 
reached. 


2 
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6 


Verifying the Implementation 


The C code consists of five primary functions with the following signatures: 


// Populate the field lookup tables 

void fec_generate_math_tables(void) 

// (Restricted) Gaussian elimination on the imax x j_max matrix p 
int fec_matrix_transform(unsigned char *p, unsigned char i_max, 


unsigned char j_max) 


// Generate weight matrix (row—reduced Vandermonde matrix) 

void fec_generate_weights(void) 

// Encode the data by appending h parity packets to the k data packets in pdata. 
// plen is an array of the lengths of the data packets. 

// pstat is a flag, all are initially FEC_-FLAG_ KNOWN. 

int fec_blk_encode(int k, int h, int c, unsigned char xxpdata, int xplen, char xpstat) 
// Decode the packets in pdata. The ith flag in pstat is FEC_-FLAG_WANTED if 

// the ith packet is missing, otherwise FEC_-FLAG_KNOWN 

int fec_blk_decode (int k, int c, unsigned char «xpdata, int *plen, char xpstat) 


Each of these functions has a corresponding VST specification. We first describe 
key implementation differences and verification challenges, then discuss the specs 
for selected functions in Sect. 6.4 and Sect. 6.5. 


6.1 Implementation Differences from Algorithm 


Broadly, the C code implements the RSE algorithm from Sect. 2 with the param- 
eters kmax = 127 and hmaz = 128 (as well as a bound of 16000 on c, but this does 
not affect the correctness). However, neither this algorithm nor the functional 
model precisely align with the C implementation. Instead, the implementation 
makes a few changes, and we must prove that these changes do not modify the 
algorithm’s behavior: 


The code uses Restricted Gaussian Elimination rather than Gaussian elimi- 
nation; see Sect. 5.2. 

The encoder described in Sect. 2.2 takes W’ to be the submatrix consisting 
of the first h rows and the first k columns. But the implementation takes the 
last k columns in reverse order (and likewise for the decoder) because of how 
the weight matrix is arranged in memory. 

In the decoder, rather than computing P — Wi Dı with a multiplication fol- 
lowed by a subtraction, the implementation does this via a single larger mul- 
tiplication, taking advantage of the fact that the left hand side of the weight 
matrix is the identity. The result of the computation is equivalent (though 
this is not completely trivial), but it is unclear why the authors chose this. 
Due to the representation of matrices in memory, the decoder computes the 
last matrix multiplication by implicitly reversing the rows of the first matrix 
and the columns of the second one. Equivalence with standard matrix multi- 
plication is not too hard to prove thanks to MathComp’s utilities for iterated 
summations. 
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— The code takes as input a sequence of variable-length packets, and we want to 
recover the original data once the decoder has finished. The RSE algorithm 
only describes how to generate the recovered packets, but the implementation 
has to put each packet pointer in its correct position in the packet array 
and ensure that the length for each packet is correct. The functional model 
includes filling in missing packets, but it uses matrices of uniform length. 


6.2 Implementation-Specific Verification Challenges 


Aside from differences between the algorithm and implementation, the C code, 
first written 25 years ago and last modified over 15 years ago, does several things 
that make it poorly suited to verification: 


— Matrices are represented in memory very inconsistently: as pointers, global 
2D arrays, local 2D arrays treated as though they were 1D arrays, and arrays 
of pointers to each row. The C code freely converts between these types; 
therefore, we had to prove several general results in VST to improve support 
for 2D arrays and pointer arithmetic. For example, to convert between 1D 
and 2D arrays, we prove that a 2D array in memory containing Coq list- 
of-lists | is equal to storing a 1D array containing concat |, all of the inner 
lists of | concatenated together. This lemma is generic and will be added 
to VST for future use. For dealing with arrays of pointers, we used VST’s 
iter_sepcon, which represents iterated separating conjunction over a collection 
of predicates, and we proved lemmas allowing us to extract and modify a sin- 
gle element of the collection. Additionally, we needed several smaller lemmas 
and tactics for handling the resulting pointer-equality proof obligations aris- 
ing from these type conversions and for simplifying the pointer comparisons 
in loop guards, which we plan to contribute to VST in order to improve the 
handling of pointer arithmetic. 

— Field multiplication is frequently called in a loop, so it was written as a macro 
rather than a function. VST’s front end expands macros, so we would have to 
prove the correctness of multiplication every time it is used. To avoid this, we 
changed the macro to a function. This did not have any effect on performance; 
at gcc optimization level O2 and O3, the performance was the same, and at 
level O3, the function was inlined. 

— The C function for the decoder includes about 30 local variables (including 
stack-allocated arrays with tens of thousands of elements) and several layers of 
nested loops; VST became quite slow due to the extremely large context. This 
required significant proof engineering to make verification feasible, including 
the use of opaque constants to stop giant arrays from being unfolded and 
heavy use of the frame rule, which allows one to “frame out” parts of the 
context which are not needed and recover them later, to verify each loop 
independently. 

— The code accesses memory using an inconsistent mix of pointer arithmetic, 
array indexing, and combinations of both. The VST proof obligations are dif- 
ferent in these cases, and we need some auxiliary assertions about equality of 
memory locations and pointer arithmetic to reason about these dereferences. 
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6.3 VST Specifications 


A C specification in VST looks like: 


DECLARE f 
WITH w 
PRE [ param_typs ] 
PROP(pi) PARAMS(params) GLOBALS(globs) SEP(s1) 
POST [ ret_ty ] 
PROP(p2) RETURN(ret) SEP(s2) 


where f is the function name, param_typs are the C function parameter types, 
ret_ty is the C return type, params are the (symbolic) values of the function 
parameters, globs are the global variables, and ret is the (symbolic) return value. 
The entire PRE block represents the precondition, which must hold before the 
function is run. The POST block is the postcondition, which is true after the 
function finishes. p1 and p2 are propositions in Coq’s logic, while s1 and s2 are 
propositions in separation logic—they describe the contents of memory. Finally, 
the variables v in the WITH clause are logical variables, abstract mathematical 
values to which the precondition and postcondition can refer. 


6.4 Verifying fec_generate_math_tables 


The first C function is fec_generate_math_tables, the function that generates the 
power, logarithm, and inverse tables for the field elements. This function, like 
the others, is interesting because of how it modifies memory, not because of 
what it returns; thus the interesting part of the VST spec is the SEP clause. 
The precondition’s SEP clause says that the global array _fec_2_index (the power 
table) initially stores fec_n zeroes. In the postcondition, this global array now 
stores the Coq list byte_pows, which we define as the powers of field element x (the 
ith entry contains x’). We have similar Coq lists and pre- and post-conditions 
for the log table and inverse table. 

Proving that the field table generation is correct is largely straightforward, 
given the field definitions described in Sect. 4.3. However, there were two main 
complications. The first comes from the method of populating the tables: com- 
pute xê for all 0 < i < 256 by repeatedly multiplying the result by x in each 
iteration (this can be implemented efficiently as a bitwise shift left and an xor). 
The correctness of this method relies on the fact that the modulus polynomial is 
primitive (i.e., the smallest n such that the modulus polynomial divides z” — 1 
is 255), and is not trivial to show in Coq. 

Separately, although in the functional model we prove results for arbitrary 
fields and irreducible polynomials, here we need to show that several specific 
polynomials are irreducible and primitive (several field sizes are allowed by the 
code, although only one is used). Both of these conditions require showing that 
a polynomial is not divisible by a set of polynomials, so the easiest way to 
show this is by direct computation along with a proof that this computation 
is sufficient. However, MathComp polynomials are opaque and not computable 
(dividing two MathComp polynomials results in a hanging computation), so we 
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needed to define concrete, computable polynomials and operations and relate 
them to their MathComp equivalents. Then, we can prove that the particular 
polynomials that the C code uses satisfy all needed properties. 


6.5 Verifying fec_blk_decode 


The function spec for fec_blk_decode is quite long; it consists of many tedious 
preconditions to ensure that the input packets are stored correctly in memory, 
that the length and packet status arrays correspond to the actual packets in 
memory, and that the various integer parameters are within their correct bounds. 
The list of preconditions is long; however, these functions are called by client 
functions that do packet-handling and buffer management, and the verification 
of those functions will check that they do indeed set up their inputs correctly 
(see Sect. 8). 

We focus on a key part of the spec: the precondition’s SEP clause includes 
the predicate iter_sepcon_arrays packet_ptrs packets, which states that the Coq list 
packets is stored in memory at the given pointers. In the postcondition’s SEP 
clause, this becomes iter_sepcon_arrays packet_ptrs (decoder_list k c packets parities 
stats lengths parbound). In other words, after the function is run, the contents 
of the packet memory are represented by the low-level functional model of the 
decoder (the version that uses concrete types that VST can understand rather 
than opaque MathComp types). 

Our decoder_correct theorem (Sect. 5.1) states that the high-level functional 
model correctly reconstructs the missing packets that were originally given to the 
encoder. Lemma decoder_list_correct lowers that result to the low-level functional 
model, using some injectivity results between the two models. 

Thus, a client of the code can compose the VST spec and the correctness 
theorem to prove that, after fec_blk decode is run, as long as the received packets 
and parities were correct, the missing data is recovered and the original data is 
now stored in memory (see Sect. 8). 


6.6 Implementation Bug 


While verifying fec_matrix_transform, we discovered a bug in the following code: 


q = (p + (i x j-max) + j_max — 1); 
m = q — j_max; 
for (n = q; n > m; n—-) { 
//loop body 
} 


Here, i ranges from 0 to i-max, and p is a pointer to the input matrix. The 
problem is, when 2 = 0, q points to p + j-max — 1 and thus m points to p — 1. 
By the C standard and the semantics of CompCert C, the comparison n > m is 
undefined behavior. In fact, in C11, even the line q — j-max is undefined behavior 
[12, Section 6.5.6, #8]. 
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This may seem harmless, but 21st-century C compilers optimize under the 
assumption that the program does not exhibit undefined behavior. A compiler 
can assume that m = q — j_max cannot be reached when i = 0, and it may mangle 
the loop body “knowing” that iÆ0 . This has caused problems for systems code 
[26], and the solution is to avoid writing C programs with undefined behavior. 

Fortunately, VST’s machine-checked proof of soundness makes it impossible 
to prove a C program correct that contains undefined behavior (unless ruled 
out by a function precondition). The loop test n > m cannot be verified in VST, 
since undefined behavior cannot be ruled out. 

Without formal methods, this type of bug is quite difficult to find: it depends 
on subtle C semantics, today’s static analyzers won’t catch it,” and testing can- 
not catch it until (in some future year) an optimizing C compiler gets more 
aggressive. VST provides blanket assurance against this entire class of errors. 

Moreover, because VST uses separation logic, we specify exactly what effects 
the code is allowed to have. Thus, in principle, this kind of verification is 100% 
resistant to adversarial attacks that try and put exploits into code provided that 
those exploits can be defined as a functional property of the C code (such as 
which memory addresses it accesses, what system calls it makes, etc.). But our 
methods cannot defend against side-channel attacks. 


7 Related Work 


Verification of Network Middleboxes. Through several recent efforts, verification 
of network functions running in the dataplane has become increasingly feasible. 
Software dataplane verification [9] uses symbolic execution to prove certain low- 
level properties (such as memory safety) about programs written with Click, a 
popular framework for configuring routers and writing network functions. Gravel 
[31] uses symbolic execution and SMT solvers to verify many middlebox-specific 
properties of Click programs, including functional correctness. VigNAT [30] uses 
a mix of symbolic execution and proof checking to verify a Network Address 
Translation (NAT) implementation in C; this approach requires the use of a 
specialized data structure library and annotations on the C program but is quite 
automated overall. Vigor [29] builds on VigNAT to extend similar methods to 
more general network function verification. It uses a simpler but less expressive 
specification language, enabling fully automatic verification. Vigor and VigNAT 
use Verifast [13], a separation-logic-based tool for verifying C programs that is 
more automated than VST but is not connected to a proof assistant; this makes 
functional model proofs much more difficult. 

These tools are considerably more automated than our work, but face signif- 
icant restrictions on the type of code they can verify: none can verify code with 


2 “Conceptually, this undefined-behavior optimization bug is possible to trigger with 


STACK’s approach [26]. But, as for the current implementation of STACK, the 
answer is likely no, because it depends on LLVM to do loop unrolling/inlining ... and 
I doubt LLVM would do either ....” (Xi Wang, e-mail of May 23, 2022). 
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arbitrary unbounded loops, pointer arithmetic, or use of complex data struc- 
tures. More importantly, none could handle the mathematical reasoning needed 
to prove the correctness of the functional model and ensure that the FEC cor- 
rectly reconstructs packets. 


Verification of Error-Correcting Codes. Since error-correcting codes are both 
ubiquitous and quite complex to implement correctly, there has been a long 
line of research in formalizing various codes. Most of these efforts take the form 
of either automated hardware verification of digital circuits or recent efforts to 
create formalized libraries of error-correcting codes. We believe that our work 
is the first to connect a high-level, mathematical specification with an efficient 
implementation. 

Error-correcting codes are hard to verify with automated methods such as 
model checking and BDDs because of the large state space and the complexity of 
the algorithms. Some recent efforts [8] have used automated hardware verification 
tools to verify (non-Reed-Solomon) ECCs, but they can handle very few bit 
errors. BLUEVERI [16] is a tool for verifying hardware implementations of finite 
field operations and was applied to Reed-Solomon codes. It can handle more 
errors (up to almost a dozen bits), but requires extensive manual effort and 
knowledge of hardware implementation details. 

In a separate vein, several recently-developed libraries of formalized coding 
theory are similar to the functional model in our work, but are not connected 
to an efficient implementation. Most notably, Affeldt, Garrigue, and Saikawa 
have developed a Cog library for error-correcting codes, including Hamming and 
acyclic LDPC [1], Reed-Solomon [2], and BCH [3] codes. This library is built atop 
MathComp, and includes many theoretical results about each of these codes as 
well as specific encoders and decoders. Ideally, we would have liked to use this 
library as part of our functional model, but the implementation we verified differs 
significantly from standard Reed-Solomon coding, which corrects errors rather 
than erasures. Their library’s Euclidean-algorithm-based decoding is extremely 
different from the decoder in RSE. 

In Lean, a coding theory library called Cotoleta was developed and used 
to prove results about Levenshtein distance [14] and Hamming(7,4) codes [11]. 
Separately, Hamming(7,4) and 5-rate convolutional codes were verified in the 
ACL2 theorem prover [20] with a particular focus on correcting memory errors; 
these codes were verified against a particular memory model. Both of these 
projects focused on verifying concrete-sized codes; thus they did not require the 
same level of abstraction or general mathematical reasoning as our work. 


8 Future Work 


In a real system, the encoder and decoder verified in this work are called by 
clients who handle receiving packets, assigning them to batches, and maintaining 
various data structures. We are currently working to verify a real-world version 
of such a system. This will permit a single, clean, end-to-end correctness result; 
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right now, we have separate results for the decoder’s correctness and the C pro- 
gram refinement which must be composed together. However, the specification 
of such a system introduces new challenges; it must reason about packet streams 
and network-specific features such as headers, timeouts, and packet reordering. 
This C implementation of RSE has been useful in several projects at Bell- 
core/Telcordia/Peraton even though it cannot run at modern packet bit rates. 
We believe that a line-rate FPGA implementation of the finite-field matrix- 
multiply partial step is possible, and we are designing an API by which this 
could be controlled by a C program or a P4 program. Such an FPGA could 
be proved correct by a layered proof. The top layer would be our MathComp 
proof with no changes. The bottom layer could be proved using a Coq tool for 
hardware synthesis and functional-correctness verification, such as Kéika [7]. 


9 Conclusion 


We have presented an efficient, real-world C implementation of Reed-Solomon 
forward erasure correction that we formally verified using the Coq proof assistant 
and the Verified Software Toolchain. The code was verified with only minor 
changes; one macro was turned into a function for ease of verification and one bug 
that caused undefined behavior was fixed. While the code has been in use for over 
25 years, the correctness of certain parts of the underlying algorithm, a modified 
form of Reed-Solomon erasure coding, were still ill-understood, including a very 
restricted form of Gaussian elimination. We were able to use Coq’s Mathematical 
Components library to completely verify the correctness of this algorithm and 
VST to prove that the C code, with its various optimizations and modifications, 
correctly implements this algorithm. This demonstrates that tools like VST allow 
us to verify real-world, dusty-deck programs in C, even those whose correctness 
depends on a broad base of mathematics and those with numerous low-level 
optimizations. We believe this can be a viable approach to connect efficient 
low-level code with sophisticated high-level reasoning, enabling reliable software 
components for networks and other systems. 


Appendix 


The appendix to this paper can be found in our git repo (see footnote 1) in 
doc/Appendix.pdf. 
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Abstract. RIOT is a micro-kernel dedicated to IoT applications that 
adopts eBPF (extended Berkeley Packet Filters) to implement so-called 
femto-containers. As micro-controllers rarely feature hardware memory 
protection, the isolation of eBPF virtual machines (VM) is critical to 
ensure system integrity against potentially malicious programs. This 
paper shows how to directly derive, within the Coq proof assistant, the 
verified C implementation of an eBPF virtual machine from a Gallina 
specification. Leveraging the formal semantics of the CompCert C com- 
piler, we obtain an end-to-end theorem stating that the C code of our 
VM inherits the safety and security properties of the Gallina specifica- 
tion. Our refinement methodology ensures that the isolation property 
of the specification holds in the verified C implementation. Preliminary 
experiments demonstrate satisfying performance. 


Keywords: Mechanized proof - Virtual machines - Fault isolation 


1 Introduction 


Hardware-enforced memory isolation (e.g., Trustzone, Sanctum [6], Sancus [30]) 
is often not available on micro-controller units (MCU) which usually trade 
coarse-grain isolation for price and performance. To mitigate development vari- 
ability and cost, common practices for MCU operating system design (RIOT [3], 
FreeRTOS, TinyOS, Fushia, and others [14]) advise to run all the device’s code 
stack in a shared memory space, which can only be reasonably safe if that code 
can be trusted. While standard in safety-critical system design, such a trust 
requirement is oftentimes unsuitable for networked MCUs, where the extensi- 
bility of the OS kernel at runtime is an essential functionality. When system 
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reconfiguration does not affect the entire network (via, e.g., leader election), 
extensibility can easily be provided offline, by employing library OSs or uniker- 
nels [24], to reconfigure network endpoints independently (e.g., cloud apps). 
Otherwise, the best solution is to load and execute system extensions (configu- 
rations, protocols, firewalls, etc.) as assembly-level Wasm [13] or Berkeley Packet 
Filters [25] scripts using an interpreter or a Just-In-Time (JIT) compiler on the 
target device. 


Femto-Containers. RIOT adopts the extended Berkeley Packet Filters (eBPF) 
and tailors it to resource-constrained MCUs by implementing so-called femto- 
containers: tiny virtual machine instances interpreting eBPF scripts. Compared 
to more expressive languages, like Wasm, experiments show that RIOT’s eBPF 
implementation, rBPF, requires less memory [39]. The Linux kernel features an 
eBPF JIT compiler whose security depends on a sophisticated online verifier [29]. 
As an MCU architecture cannot host such a large verifier, executing JIT code 
would imply delegation of trust to a third-party, offline, verifier. The alternative 
is to rely on a defensive VM. Though a VM may be slower than a JIT, it 
can run untrusted, erroneous, adversary code in an open, and possibly hostile 
environment, and still isolate faults to protect its host’s integrity. 


Approach and Goals. This paper investigates an approach that trades high per- 
formance on low-power devices for defensive programming and low memory foot- 
print. Our primary goal is to prevent faults that could compromise host devices 
and, by extension, force networked devices to reboot and resynchronize (i.e., 
fault tolerance protocols). To maximize trust in the implementation of rBPF, 
our refinement methodology allows the verified extraction of C code directly from 
its mechanically proved definition in Gallina, the functional language embedded 
in the Coq proof assistant [4]. 


Method. To mechanically prove the correctness of an interpreter, a conventional 
approach consists in defining the reference semantics in a proof assistant and in 
showing that an executable optimized interpreter produces the same output. In 
this paper, our goal is to verify the interpreter of the virtual rBPF instruction 
set, implemented with the system programming language C. To this aim, we 
introduce a direct, end-to-end, validation workflow. The semantics of the source 
instruction set is directly defined by monadic functional terms in our proof assis- 
tant. We prove that this semantics enforces safety and security requirements 
regarding memory isolation and control-flow integrity. Then, C code is automat- 
ically derived from these monadic functional terms to implement the expected 
virtual machine. We prove that the extracted C code has the same stateful 
behavior as the monadic specification. Our method uses a monadic subset of 
Gallina of sufficient expressiveness to specify rBPF’s semantics, supports the 
verified extraction of equivalent Clight [20] code, while provably implementing 
all required defensive runtime checks. 


Plan. The rest of the paper is organized as follows. Section 2 states our contri- 
butions. Section 3 provides background on BPF and its variants, CompCert and 
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the Ox code extraction tool. Section 4 presents our workflow to formally refine 
monadic Gallina programs into C programs. Section 5 defines the proof model of 
our virtual machine: its semantics, consistency and isolation theorems. Section 6 
refines the proof model of our femto-container into a synthesis model ready for 
code generation with CompCert. Section 7 proves the refinement between the 
synthesis and implementation models. Section 8 introduces our verified verifier 
which establishes the invariants needed by the VM. Section 9 case studies the 
performance of our generated VM implementation with respect to off-the-shelf 
RIOT femto-containers. Section 10 presents related works and Sect. 11 concludes. 


2 Contributions 


Implementing a fault-isolating virtual machine for MCUs faces two major chal- 
lenges. One is to embed the VM inside the MCU’s micro-kernel and, hence, 
to minimize its code size and execution environment. A second challenge is to 
minimize the verification gap between its proof model and the running code. We 
address these challenges and present the first end-to-end verification and synthe- 
sis of a full-scale, real-world, virtual machine for the BPF instruction set family: 
CertrBPF, an interpreter tailored to the hardware and resources constraints of 
MCU architectures running the RIOT operating system. CertrBPF employs a 
workflow of proof-oriented programming using the functional language Gallina 
embedded in the proof assistant Coq. The verified refinement and extraction of 
an executable C program is performed directly from its proof model. We report 
the successful integration of CertrBPF into the open source IoT operating system 
RIOT and the evaluation of its performance against micro-benchmarks. 


A Certified rBPF Interpreter. CertrBPF is a verified model and implementation 
of rBPF in Coq. We formalize the syntax and semantics of all rBPF instruc- 
tions, implement a formal model of its interpreter (femto-container), complete 
the proof of critical properties of our model, and extract and verify CompCert 
C code from this formalization. This method allows us to obtain a fully ver- 
ified virtual machine. Not only is the Gallina specification of the VM proved 
kernel- and memory-isolated using the proof assistant, but the direct interpre- 
tation of its intended semantics as CompCert C code is, itself, verified correct. 
This yields a fully verified binary program of maximum security and minimal 
memory footprint and reduced the Trusted Computing Base (TCB): CertrBPF, 
a memory-efficient kernel-level virtual machine that isolates runtime software 
faults using defensive code and does not necessitate offline verification. 


End-to-End Proof Workflow. An obvious choice is to use the existing Coq extrac- 
tion mechanism to compile the Gallina model into OCaml. The downside of this 
approach is that Coq extraction has to be trusted. Moreover the OCaml runtime 
needs to be trimmed down to fit space requirements of our target architecture and 
also becomes part of the TCB. Our ambition is instead to minimize the verifica- 
tion gap and provide an end-to-end security proof linking our Gallina model to, 
bare-metal, extracted C code. Our intended TCB is hence restricted to the Coq 
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type-checker, the C semantics of the CompCert compiler and a pretty-printer 
for the generated C Abstract Syntax Tree (AST). 

To reach this goal, our starting point is a model of the rBPF semantics written 
in Gallina. We use this proof model to certify that all the memory accesses are 
valid and isolated to dedicated memory areas, thus ensuring isolation. From this 
proof model, we then derive a synthesis model of which we extract an executable 
version in Clight, that we finally prove to perform the same state transitions. 


Systems Integration and Micro-benchmarks. We integrate CertrBPF as a drop-in 
replacement of the current, non-verified, rBPF interpreter in the RIOT operat- 
ing system. We then comparatively evaluate the performance of CertrBPF inte- 
grated in RIOT, running on various 32-bit micro-controller architectures. Our 
benchmarks demonstrate that, in practice, CertrBPF not just gains security, but 
reduces memory footprint as well as execution time. 


3 Background 


This section describes essential features of rBPF, of the CompCert compiler, and 
of the Ox code generation tool, that are required by our refinement methodology. 


BPF, eBPF and rBPF. Originally, the purpose of Berkeley Packet Filters [25] 
(BPF) was network packet filtering. The Linux community extended it to provide 
ways to run custom in-kernel VM code, hooked into various subsystems, for 
varieties of purposes beyond packet filtering [10]. eBPF was then ported to micro- 
controllers, yielding RIOT’s specification: rBPF [38]. Just as eBPF, rBPF is 
designed as a 64-bit register-based VM, using fixed-size 64-bit instructions and a 
reduced instruction set architecture. rBPF uses a fixed-size stack (512 bytes) and 
defines no heap interaction, which limits the VM memory overhead in RAM. The 
rBPF specification, however, does not define special registers or interrupts for 
flow control, nor support virtual memory: the host device’s memory is accessed 
directly and only guarded using permissions. 


The CompCert Verified Compiler. CompCert [18] is a C compiler that is both 
programmed and proved correct using the Coq proof assistant. The compiler is 
structured into passes using several intermediate languages. Each intermediate 
language is equipped with a formal semantics and each pass is proved to preserve 
the observational behavior of programs. 


The Clight Intermediate Language. Clight [20] is a pivotal language which con- 
denses the essential features of C using a minimal syntax. The Verified Software 
Toolchain (VST) [2] verifies C programs at the Clight level that are obtained by 
the CLIGHTGEN tool. Though we do not reuse the proof infrastructure of VST, 
we are reusing CLIGHTGEN in order to get a Clight syntax from a C program. 


CompCert Values and Memory Model [19,20]. The memory model and the 
representation of values are shared across all the intermediate languages of 
CompCert. The set of values val is defined as follows: 
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val > u::=Vint(2) | Vlong(i) | Vptr(b, 0) | Vundef |... 


A value v € val can be a 32-bit integer Vint(i); a 64-bit integer Vlong(i), a 
pointer Vptr(b, o) consisting of a block identifier b and an offset o, or the unde- 
fined value Vundef. The undefined value Vundef represents an unspecified value 
and is not, strictly speaking, an undefined behavior. Yet, as most of the C oper- 
ators are strict in Vundef, and because branching over Vundef or de-referencing 
Vundef are undefined behaviors, our proofs will ensure the absence of Vundef. 
CompCert values also include floating-point numbers; they play no role in the 
current development. CompCert’s memory consists of a collection of separate 
arrays. Each array has a fixed size determined at allocation time and is identified 
by an uninterpreted block b € block. The memory provides an API for loading 
values from memory and storing values in memory. Operations are parameterised 
by a memory chunk k which specifies how many bytes should be written or read 
and how to interpret bytes as a value v € val. 

For instance, the memory chunk Mint32 specifies a 32-bit value and Mint64 
a 64-bit value. The function load k m b o takes a memory chunk k, a memory 
m, a block b and an offset o. Upon success, it returns a value v obtained from 
the memory by reading bytes from the block 6 starting at index o. Similarly, the 
function store k m b o v takes a memory chunk k, a memory m, a block b, an 
offset o and a value v. Upon success, it returns an updated memory m’ which is 
identical to m except that the block b contains the value v encoded into bytes 
according to the chunk k starting at offset o. The isolation properties offered by 
CompCert memory regions are worth mentioning: load and store operations fail 
(return None) for invalid offsets o and invalid permissions. 


The Ox tool. Ox emerged from the toolchain used to design and verify the Pip 
proto-kernel [15]. Its aim was to allow writing most of Pip’s source code in Gal- 
lina in a style as close to C as possible. Ox extracts C code from a Gallina 
source program in the form of a CompCert C AST. The goal of Ox is to provide 
C programmers with readily reviewable code and thus avoid misunderstanding 
between those working on C/assembly modules (that access hardware) and those 
working on Coq modules (the code and proofs). To achieve this, 0x handles a 
C-like subset of Gallina. The functions that are to be converted to C rely on a 
monad to represent the side effects of the computation, such as modifications to 
the CPU state. Yet Ox does not mandate a particular monad for code extraction. 


Ox ’s Workflow. Ox proceeds in two steps. First, given a list of Gallina functions, 
or whole modules, it generates an intermediate representation (IR) for the subset 
of Gallina it can handle. The second step is to translate this IR into a CompCert 
C AST. Since Coq has no built-in reflection mechanism, the first step is written 
in Elpi [8], using the Coq-Elpi plugin [37]. That step can also process external 
functions (appearing as extern in the extracted C code) to support separate 
compilation with CompCert. In order to obtain an actual C file, Ox also pro- 
vides a small OCaml function that binds the extracted C AST to CompCert’s 
C pretty-printer. Even though the Ox language is a small subset of Gallina, it 
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inherits much expressivity from the use of Coq types to manipulate values. For 
example, we can use bounded integers (i.e., the dependent pair of an integer 
with the proof that it is within some given range), that can be faithfully and 
efficiently represented as a single int in C. To this end, Ox expects a configura- 
tion mapping Coq types to C. 


Ox Memory Management. A major design choice in the C-like subset of Gallina 
used by Ox is memory management: its generated code executes without garbage 
collection. This affects the Coq types that can actually be used in Ox: recursive 
inductive types, such as lists, cannot automatically be converted. However, this 
Gallina subset is particularly relevant to programs in which one wants to pre- 
cisely control memory management and decide how to represent data structures 
in memory. This is typically the case of an operating system or, in our case, the 
rBPF virtual machine. 


4 A Workflow for End-to-End Verification in Coq 


This section gives an overview of our methodology to derive a verified C imple- 
mentation from a Gallina specification. In the following sections, the methodol- 
ogy will be instantiated to derive the C implementation of a fault-isolating rBPF 
virtual machine and its verifier. Our approach provides an end-to-end correct- 
ness proof, within the Coq proof assistant, that reduces the hurdle of reasoning 
directly over the C code. 

As shown in Fig. 1, the original rBPF C implementation is first formalized by 
a proof model in Gallina, and the verification of expected properties (e.g., safety) 
is performed within the Coq proof assistant. This specification is then refined 
into an optimized (and equivalent) synthesis model ready for C-code extraction. 


formalize manually validate 
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Fig. 1. End-to-end verification and synthesis workflow 


The refinement and optimization principle employed by our method consists 
of deriving a C-ready implementation, in Gallina, that is as close as possible 
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to the expected target C code. This principle allows to i) prove optimizations 
correct, ii) improve the performance of the extracted code and, iii) facilitate 
review and validation of extracted code with the system designers. From the 
C-ready Gallina implementation, we leverage Ox to automatically generate C 
code and verify it: i) the generated C code is first parsed as a CompCert Clight 
model by the CLIGHTGEN tool of VST and ii) it is proved to refine the source 
Gallina model in Coq using translation validation. Because Ox generates C code 
in a syntax-directed manner, a minimal Clightlogic is designed to facilitate the 
refinement proof. The rest of the section explains these different steps in details. 


Proof-Oriented Specification. Our specification takes the form of an executable 
abstract machine in monadic form. It uses the standard option-state monad M. 


M a state := state — option(a x state) 
returnM :a— M a state := Xa.Ast.Some(a, st) 
bindM : M a state — (a— M b state) — M b state := 
AA. f.As.match A s with | None > None | Some(z, s’) > (f x) s 


In the remainder, we write Ý for None and |x] for Some z. 

The monad threads the state along computations to model its in-place 
update. The safety property of the machine is implemented as an inline monitor: 
any violation leads to an unrecoverable error, i.e., the unique error represented 
by Ø. One step of the machine has the following signature: 


step: M r state 


where r is the type of the result. The step function implements a defensive 
semantics, checking the absence of error, dynamically. For our rBPF interpreter 
(see Sect. 5), the absence of error ensures that the rBPF code only performs 
valid instructions. In particular, all memory accesses are restricted to a sandbox 
specified as a list of memory regions. Function step is part of the TCB and, 
therefore, a mis-specification could result, after refinement, in an invalid compu- 
tation. The purpose of the error state is to specify state transitions that would 
escape the scope of the safety property and, therefore, shall never be reachable 
from a well-formed state st € wf C P(state). We require well-formedness to be 
an inductive property of the step function. 


Theorem 1 (Well-formedness). The step function preserves well-formedness. 
Yst, st’, r. st © wf A step st = | (r, st’)| > st’ € wf 


We also require that well-formedness is a sufficient condition to prevent the 
absence of error and, therefore, the safety of computations. 


Theorem 2 (Safety). The step function is safe, i.e., a well-formed state never 
leads to an error. 
Vst. st € wf => step st #0 
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C-Ready Implementation. Our methodology consists in refining the step func- 
tion into an interpreter stepa, complying with the requirements of Ox. As Ox 
performs syntax-directed code generation, the efficiency of the extracted code 
crucially depends on stepg,. In order to preserve the absence of errors, we need a 
simulation relation between the step and stepg, functions. A direct consequence 
of the simulation thoerem is that stepər never raises an error. 


Theorem 3 (Simulation). Given simulation relations Rs C state x state’ 
and Rr Cr xr’, the function stepax simulates the function step. 


stepas 82 = |r", sh] 
sar N (s1, s6) E€ Rs 
(r,r') € Rr 


V81, $1, $2,7-(81, $2) € Rs A step sı = |r, s1] > 


Translation Validation of C Code. The next stage consists in refining the stepa, 
function into a Clight program by relying on Oz to get a C program and on the 
CLIGHTGEN tool to get a Clight stepc program (see Sect. 6). As this pass is not 
trusted, we require the following translation validation theorem. 


Theorem 4 (Translation Validation). Given a simulation relation Rs C 
state’ x val x mem and a relation Rr C res x val, the Clight code stepo refines 
the function stepax: 


Vr, s, 8',v,k,m.(s,v,m) E€ Rs => stepo, s = | (r, s)| > 


Im’, r'.Callstate(stepo, [v], k, m)—>** ReturnState(r’, call_cont(k),m')A 
(s',v,m’) € Rs A (r,r) € Rr 


Theorem 4 states that, if stepg, s runs without error and returns a result (r, s’), 
then, the Clight function stepc successfully runs with argument v and, after 
a finite number of execution steps, returns a result r’ and a memory m’ that 
preserve the refinement relations. In our encoding, the unique argument v is 
a pointer to the memory allocated region refining the interpreter state and k 
represents the continuation of the computation. A corollary of Theorem 4 is that 
the Clight code stepc is free of undefined behaviors. In particular, all memory 
accesses are valid. As the memory model does not allow to forge pointers, this 
yields a strong isolation property. In the remainder of this paper, for our rBPF 
virtual machine, we prove all the aforementioned properties within the Coq proof 
assistant. 


5 A Proof-Oriented Virtual Machine Model 


For our proof model, we define an explicit syntax for rBPF. We also define the 
state of the interpreter and semantic functions, in particular those implement- 
ing dynamic security checks. The rBPF instruction set, Fig. 2, features binary 
arithmetic and logic operations, negation, (un)conditional jumps relative to an 
offset, operations to load/store values from/to registers/memory, function calls, 
and termination. There are eleven 64-bit registers {RO,..., R10}; an immediate 
is 32-bit wide and an offset is 16-bit wide. 
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(Operands)  dst,reg € registers , src € registers U immediate 
imm € immediate , ofs € offset 
(Chunk) chk ::= byte | halfword | word | doublewords 
(Operators) op ::= add | sub | mul | div | and | or | 
Ish | rsh | mod | xor | mov | arsh 
cmp ::= eq | neq | lt | gt | le | ge | set | slt | sgt | sle | sge 
(Instruction) ins ::= Exit | Call imm | Neg dst | Ja ofs | Jump cmp dst src ofs 
| Alu op dst src | Load chk dst reg ofs | Store chk dst src ofs 


Fig. 2. Core syntax of rBPF instruction set 


Machine State. A semantic state st is a tuple (I, L, R, F, M, MRs) consisting of 
a sequence of instructions J, the current location L, registers R, an interpreter 
flag F, a memory M and a specification of available memory regions MRs. The 
flag F characterizes the state of the rBPF interpreter. It may be i) a normal 
state, written Fn; ii) a final state, written Fy; iii) or an error state, written Fe. 
An error state f € Fe means that the defensive checks of the interpreter have 
detected that an invalid behavior is about to occur. 

A memory region mr = (start, size, p, ptr) E€ MRs associates a permission 
p € {Readable, Writable} to the address range [start, start + size). We make 
the link between concrete physical addresses and the CompCert memory model 
using the pointer ptr (= Vptr b 0) where the block 6 is the abstract represen- 
tation of the address start. We write I(L) for the instruction located at the 
program counter L. R[r] retrieves the value of the register r in the register map 
R. Functions alu and cmp reuse the CompCert’s operators over the val type. 
The alu function returns @ if an error occurs, e.g., division by zero. Functions 
load and store are those of CompCert’s memory model (see Sect. 3). 


alu : op > val — val — option val cmp : cmp — val — val — bool 
load : chk — mem — block — Z — option val 
store : chk — mem — block — Z — val — option mem 


Dynamic Checks. Function check_alu dynamically checks the validity of an arith- 
metic to avoid div-by-zero and undefined-shift errors. For division instructions, 
check_alu mandates the second argument to be non-zero. For arithmetic and 
logical shift instructions, the second argument has to be below n € {32,64} 
depending on whether the ALU instruction operates on 32 or 64 bit operands. 
For simplicity, the paper only considers 64-bit ALU instructions but CertrBPF 
also has the 32-bit variants. 


v #0 if op € {div, mod} 
check_alu(op, v) ERE, <v<n if op€ {lsh,rsh, arsh} 
true otherwise 


Function check-mem returns a valid pointer (Vptr b ofs) if there exists a 
unique memory region mr in MRs such that i) the permission mr.perm is at least 
Readable for Load and Writable for Store, i.e., mr.perm > p; ii) the offset ofs is 
aligned, i.e., ofs%Z(chk) = 0; iii) in bounds, i.e., ofs < max_unsigned— Z(chk), 
iv) and the interval [ofs, hi_ofs) is in the range of mr. Otherwise, check_mem 
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returns the null pointer Vnullptr. The function Z(chk) maps memory chunks 
byte, halfword, word and double to 1, 2, 4, and 8, respectively. 


check_mem(p, chk, addr, MRs) if dl mre MRs, b. 


let ofs = addr — mr.start and hi_ofs = ofs + Z(chk) in 
(mr.ptr == Vptr b0) A (mr.perm > p) A (ofs%Z(chk) == 0) A 
(ofs < max_signed — Z(chk)) A (0 < ofs A hi_ofs < mr.size)) 
then Vpir b ofs else Vnullptr 


Semantics. Functions interp and sem formalize the implementation of our proof 
model M, in the Coq proof assistant by defining a monadic interpreter of rBPF. 
The top-level recursion interp processes a (monotonically decreasing) fuel argu- 
ment and a state s. The function sem processes individual instructions I(Lpc). 
MRs and I are read-only. During normal execution, the flag remains Fn. If 
the flag turns to F; or Fe while processing an instruction, execution stops. For 
instance, if fuel reaches zero, the flag turns to Fe. We write s.F for the value of 
field F in record s and s{F = v} updates it to v. 


interp = \fuel s. if fuel == 0 then |(O, s{F=F.})| else 
match sem s with 
| [CO, t)| => if t.FA Fn then |(O, t)| 
else interp (fuel-1) t{L = t.Lt+1} 
10 => 0 


sem = As. match s.I(s.L) with 
| Exit => |(O, s{F = F;,})| 
| Call imm => let f_ptr = bpf_get_call imm in 
if f_ptr == Vnullptr then |(O, s{F = F.})] 
else |((), s{RO = exec_function f_ptr})| 
Ja ofs => |(O, s{L = s.L+ofs}) | 
| Jump c dst ofs => if cmp(c, s.R[dst], s.R[src]) 
then |(O, s{L = s.Ltofs})| else |(O, s)| 
Neg dst => |(O, s{R[dst]= ~ s.R[dst]}) | 
| Alu op dst src => if check_alu(op, s.R[src]) then 
match alu(op, s.R[dst], s.R[src]) with 
| [v] => [CQO, s{R[dst] = v})| | Ø => 0 
else |(O, s{F = F.})| 
| Load chk dst reg ofs => 
match check_mem(Readable, chk, s.R[reg]+ofs, s.MRs) with 
| Vptr b ofs => match load(chk, s.M, b, ofs) with 
| [v] => |(O, s{R[dst] = v})]| | 0 => Ø 
| __ => |(O, s{F = Fe})] 
| Store chk dst src ofs => 
match check_mem(Writable, chk, s.R[dst]+ofs, s.MRs) with 
| Vptr b ofs => match store(chk, s.M, b, ofs, S.R[src]) with 
| IN] => |(O, sM = NÐ] 16> 0 
l2 => |(O, s{F = F.})| 
| _ => |(O, s{F = Fe})] 
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Result marks transitions to crash states that are proved unreachable given 
our carefully crafted definitions of the check_alu and check_mem functions. Note 
that the interpreter interp does not check the range of branching offsets (i.e., 
0 <=s.L< length(s.1I)) and register-out-of-bounds. This properties are stati- 
cally verified, once and for all, by the verifier of Sect. 8. 

Exit terminates the program with flag F;. The Call instruction selects (using 
bpf -get_call) the trusted system API service designated by an immediate number 
imm. It then calls the chosen service if available (i.e., not a null pointer). Uncon- 
ditional jump Ja increments the pc by ofs and a conditional Jump does so when 
cmp(c, src, dest) holds. For an arithmetic operation Alu op dst src, check_alu first 
checks the validity of op with source src, evaluates op against destination dst 
using alu, stores the result v in register dst. For simplicity, we omit the case of 
immediate srcs. If the result is 0, so becomes the monadic state (undefined behav- 
ior). Our definition of check_alu, and well-formedness conditions (see Sect. 5.1) 
ensures that this will never happen and that, in case of error, the execution 
terminates with flag Fe. Similarly, the semantics of memory instructions (Load- 
Store) validates memory accesses using the check_mem function. Its definition 
ensures the absence of undefined behaviors. 


5.1 Proof of Software-Fault Isolation 


Our proof model M, formalizes the semantics of rBPF. It is implemented in 
Coq using Gallina. Assessing its correctness consists of proving two essential 
properties: i) the well-formedness of the virtual machine’s state, that is, its reg- 
isters, memory and verifier invariants, and ii) software-fault isolation, that is, the 
isolation of all transitions to a crash state Ø using runtime safety checks (e.g., 
check_mem), ergo the impossibility of a transition to an undefined behavior. 

The register invariant states that all registers contain 64-bit integer values. 
This rules out 32-bit integers, Vundef but also pointers and floating-point num- 
bers, for which the alu function may be undefined. 


Definition 1 (register__inv). Vr € registers.dl.R[r] = Vlong l 


As expected, the memory consistency invariant is a bit more elaborate. It 
states that each CompCert memory region mr register 8-bit integer blocks b 
of memory m, designated by a pointer mr.ptr to the 32-bit physical mr.start 
address of b, the 32-bit mr.size of b and at least Readable permissions mr.perm 
across [0, size). Finally, every two regions point to disjoint physical address 
spaces in m (as per CompCert’s memory regions for mr’ .ptr 4 mr.ptr). 


Definition 2 (memory__inv). Ymr € MRs, m. 3b, start, size. s.t. 
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mr.ptr = Vptr b 0 A Mem.valid_block m b A is_byte_block b m A 
mr.start = Vint start A mr.size = Vint size ^ mr.perm > Readable A 
Mem.range_perm m b 0 (Int.unsigned size) Cur mr.perm ^ 

(Ymr’ € MRs, mr’ #4 mr > mr’ .ptr 4 mr.ptr) 


Linux eBPF has a verifier to statically analyze eBPF programs and only 
accept those which are free of undefined behaviors. Our CertrBPF’s verifier, 
introduced in Sect. 8, ensures the weaker invariant given by Definition 3. The 
invariant stipulates the minimal pre-condition so that the interpreter can safely 
run a sequence of instructions J. More precisely, the invariant states that each 
instruction I[i] references registers within the range [0,10] and that the target 
of every jump instruction is within the program range i.e., 0 <i+ofs+1< 
length(I) — 1. 


Definition 3 (verifier_inv). Vi, I, ofs.0 < i< length(I) — 1 —> 
0 < get_dst(I[i]) < 10 AO < get-srce(I[i]) < 10 A 
((Ili] = Ja ofs v Ifi] = Jump __ __ — ofs) — 0 < i + ofs + 1 < length(1) — 1) 


These three invariants implement well-formedness as proposed in Sect. 4. 
Therefore, the following Coq Theorem sem_preserve_inv proves Theorem 1 and 
states that well-formedness is preserved by the interp function. Similarly, Theo- 
rem inv_ensure_no_undef proves Theorem 2. This proves that the dynamic checks 
of the model M, are sufficient to ensure the absence of error. In particular, all 
memory accesses are valid and performed within the dedicated memory regions. 
As a result, our model ensures software fault isolation. The corollary of The- 
orems sem_preserve_inv and inv_ensure_no_undef is that our virtual machine, 
obtained by refinement of the proof model, will always isolate code from other 
memory regions of the operating system and never crash it. 


Theorem sem_preserve_inv: V (st st’: state) (fuel: nat) 
(Hinv: register_inv st ^ memory_inv st ^ verifier_inv st) 
(Hsem: interp fuel st = |(tt, st’)]|), 

register_inv st’ ^ memory_inv st’ A^ verifier_inv st’. 

Theorem interp_no_undef: V (st: state) (fuel: nat) 

(Hinv: register_inv st ^ memory_inv st ^ verifier_inv st), 
interp fuel st #0. 


6 A Synthesis-Oriented eBPF Interpreter 


The coding style of the proof model M, is quite different from the original RIOT 
implementation in C and lacks optimizations used in the latter to improve run- 
time performance. The synthesis model M, firstly refines Mp into an optimized, 
safe and behaviorally equivalent monadic model which is then automatically 
transformed into an effectful implementation model Me using Oz. 
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Synthesis Model M,. M, refines our proof model by following the principle 
“make M, as close as possible to the expected target C code”. M, also refines 
Coq types because each Coq inductive type may correspond to several C types 
(e.g., Vint/Vlong to signed or unsigned, 32-bit or 64-bit). The case of V ptr 
is particularly delicate, as the target type contextually relies on bit-size and 
signedness. To sort this out, we rename Coq types to match the correct C type. 
For example, val64_t, valu32t, vals32-t are Val types mapped to unsigned 
long long, unsigned int and int, respectively. 


Equivalence. Both M, and M, use the same monadic state st as in Sect. 5. 
Hence, the simulation relation R C st x st, required by Theorem 3, is equality. 
As a result, we prove the stronger result that both interp : nat > M unit, the 
Mp interpreter, and interp_dx : nat — M unit, the Ms interpreter, denote the 
exact same function. 


Theorem equivalence_relation: V (st: state) (fuel: nat), 
interp fuel st = interp_dx fuel st. 


Ox configuration and Implementation model Me. To extract the implementation 
model, we supply Ox with our monad M and a mapping relation from Gallina 
to C, Table 1. 


Table 1. Mapping relation from Gallina to C 


Gallina C 
Types reg/sint32_t/valptr8_t ... unsigned int/int/unsigned char* ... 
Constructions | true/Int.repr(-2)/F_n ... 1/-2/0... 
Constants Val.addl/subl/mull/Z.eqb .... | +/-/*/==/ ... 
Functions eval_pc: M sint32_t ... int eval_pc(struct state *) ... 
Code struct if-then-else, match-pattern ... | if-else, switch-case ... 


Inductive types map to C types, e.g., reg to unsigned int (note that a many- 
to-one relation from Gallina to C is legal). Gallina constructs and constant func- 
tions map to C operators and constants, e.g., ‘Val.addl’ to ‘+’, ‘Int.repr(—2)’ 
and ‘true’ to ‘—2’ and ‘1’, etc. Gallina functions map to C functions. For any 
function operating the monadic state, the target C function has an additional 
argument st of type struct statex which corresponds to the implicit state of the 
monad. Gallina’s match-pattern translates to C’s switch-case, etc. 


Code Extraction with Ox. The extracted C implementation preserves the struc- 
ture of the original Gallina code, and the extracted C functions directly operate 
on actual memory locations as CompCert memory operations map to C expres- 
sions with a dereference. Consider the example of the step_mem_st_reg function. 
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Definition step_mem_st_reg (src: val64_t) (addr: valu32_t) (op: int8_t): 
M unit := 
do opcode_st <- get_opcode_mem_st_reg op; 
match opcode_st with 
| op_BPF_STXW => 
do addr_ptr <- check_mem Writable Mint32 addr; 
if eq_ptr_null addr_ptr then 
upd_flag BPF_ILLEGAL_MEM 
else (** i.e. Mem.storev Mint32 addr_ptr src *) 
do _ <- store_mem_reg Mint32 addr_ptr src; returnM tt 


CompCert’s Byte int8_t is mapped to unsigned char. Constructs op_BPF_STX W, 
BPF_ILLEGAL_MEM and Writable are respectively mapped to ‘99‘, 2‘ and 
‘2U‘. The constant function eq_ptr_nu11 is translated into an operation to check 
whether a pointer is null. The ‘match opcode_st with’ is extracted to ‘switch 
(opcode_st) case’. Functions step_mem_st_reg, check_mem and store_mem_reg 
in C have an additional monadic argument st. 


void step_mem_st_reg(struct bpf_state* st, unsigned long long 
src, unsigned int addr, unsigned char op){ 
unsigned char opcode_st; 
unsigned char *addr_ptr; 


opcode_st = get_opcode_mem_st_reg (op); 
switch (opcode_st) { 
case 99: 
addr_ptr = check_mem(st, 2U, 4U, addr); 
if (addr_ptr == 0) { 
upd_flag(st, -2); return; 
} else { // i.e. *(unsigned int *) addr_ptr = src 
store_mem_reg(st, 4U, addr_ptr, src); return; 
} 


7 Simulation Proof of the C rBPF Virtual Machine 


In this section, we explain how to establish Theorem 4 for the Clight code of our 
virtual machine, derived from 0x, and compiled into a Clight AST in Coq using 
the CLIGHTGEN tool. 


Simulation Relation. A crucial ingredient of Theorem 4 is the simulation relation 
between the Gallina state monad and the Clight state which is essentially made 
of a CompCert memory. The Gallina state comprises a CompCert memory that 
models the various memory regions available to the rBPF program. This memory 
may also contain other blocks that are not modified by the virtual machine 
but represent other kernel data-structures. The simulation relation stipulates 
that such blocks also exist in the Clight memory and have the same content. 
The Clight memory contains additional blocks (i.e., state_block, ins_block and 


A Verified eBPF Virtual Machine for Micro-controllers 307 


state { state block ò ins_block 
m A i 
pe pe K 3 ins(0) 
/ 7 
1 
flag 2 flag a ins(1) 
F 
regs RO f 244_— 
ins_len 88 z a 8*ins_len ibsGnsslened) 
ins E R10 ra o mrs_block 
7 i 7 
mrs_num 7 ins_len fi wed start 
e F Vptr ins_block 0 a | sizeQ 
RA mrs_num perm0 
} au a 12 
$ i Vptr mrs_block 0 eee EE vptr b0 0 
=e 1 
—-" 0o — = | 3 
sf start(n) 
aN 7 
--> (pointto) | S size(n) 
È H 1 N 
<> (simulate) hið rea SE perm(n) 
—— (equal) i b(0) b(mrs_num-1) | vptr b(n) 0 
! = 1 16*mrs_num 


ieee care an a em ea ace ia el 


Fig. 3. Simulation relation R between stropf, left, and rBPFClight, right. 


mrs_block) to model the other fields of the Gallina state. The layout and content 
of those blocks are depicted in Fig. 3. 

Solid arrows in Fig. 3 are simulation relations between state_block and st,-ppf. 
Solid lines are the equalities between the rBPF memory m and blocks in rBPF- 
Clight memory. Dashed lines indicate relations of pointers to blocks in CompCert 
memory. The encoding exploits the fact that each field of the Gallina state has a 
known length. Thus, every field can be encoded as a continuous sub-block. As a 
result, the program counter is obtained from the first 4 bytes: loading a memory 
chunk of type Mint32 at offset 0 retrieves the pc field of the Gallina state. The 
next 4 bytes encode the enumerated type flag. Here, each constructor of type 
flag is assigned an integer. The next 11 x 64 bits are used to encode the register 
bank of the Gallina state. 

Strbp f PC = load Mint32 Metigne state_block 0 
det | Strop¢-flag = load Mint32 metignt state_block 4 


Rs(state, state_block,m) = 
( ) Strops -RO = load Mint64 Mmetigne state_block 8 


The next elements of the Clight block represent the lists of instructions and 
of memory regions. In a functional language, lists are potentially of unbounded 
length and have a polymorphic type. Here, our lists always have fixed lengths and 
elements of fixed size. As a result, a list is directly encoded by a field specifying 
its length followed by a pointer to its memory block. The elements of the list are 
stored continuously in the pointed block. 


Systematic Proof of Simulation. Since the Ox tool is syntax-directed, there is a 
systematic correspondence between the source Gallina and the target C code. 
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We exploit this property to design a minimal Clight logic geared toward our 
simulation proof. Our Clightlogic generalizes the translation validation theorem 
(Theorem 4) to accommodate Gallina functions and C functions with multiple 
arguments. In that case, we have a precondition which states that the Gallina and 
C arguments are linked pairwise by a refinement relation. Most of the arguments 
are numeric values and, in this case, the refinement relation states that the Gal- 
lina and C values are the same. The Clightlogic also provides a syntax-directed 
proof principle for each pair of Gallina/C syntactic construct. For instance, the 
bindM operator translates to a sequence in the C code. Also, the result of a Gal- 
lina function call is bound to a local variable in C. Moreover, the local variable v 
below stands for the monadic state in C and points to the state memory block. 


Ox(bindM f (Ax.g)) = (vz = fo(v); golv, vz)) 


To exploit this pattern, our invariants take the form of an association list map- 
ping each local variable to a set of C values that is obtained by partially eval- 
uating a refinement relation with the Gallina value computed by the function 
(Fig. 3). To evaluate f, one needs to have a refinement relation Rs between 
the Gallina state st and the C value of v in memory m. Now, suppose that 
fst = |r, st’|. Since fc is a correct refinement of f, relations Rs(st’,v,m’) and 
Rr(r,x) hold for the value « of the local variable va in the current environment. 
We conclude by mapping vz + Rr r and use this invariant to refine g by gc. 

The translation validation theorem proves a forward simulation relation from 
Coq to Clight. A backward simulation relation can be constructed as Gallina 
programs are functions and Clight is determinate. 


8 CertrBPF Verifier 


Linux eBPF’s compiler and runtime system do not enforce type or memory 
safety. Instead, safety is verified prior to execution using a static analyzer that 
checks programs validity. As both the size and complexity cannot fit the require- 
ments of an MCU architecture, CertrBPF instead provides a simple (linear 
time) but formally verified verifier, CertrBPF-verifier, which ensures the invari- 
ant verifier_inv (Definition 3). Accordingly, it scans an input rBPF program 
(i.e., a list of 64-bit bytecode instructions) and rejects it when: i) a source or 
destination register is greater than 10. ii) the offset of a jump instruction is out 
of the instruction sequence bounds. iii) or the last instruction is not the Exit 
instruction (opcode 0x95). 

Static verification of these properties allows the interpreter to skip unnec- 
essary dynamic checks. Our verifier adopts the same end-to-end verification 
method as the interpreter, Sect. 4. The virtual machine state in CertrBPF- 
verifier is a strict subset of the interpreter’s state: st, = (I, M} consists of a 
sequence of instructions J and a memory M. 
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Theorem verifier_well_formedness_and_safety : 
V (st: verifier_state) (b: bool), 
verifier st = |(b , st)|. 
Theorem verifier_imply_inv : 
V (st: verifier_state) (st’: state) 
(Hinclude: st C st’) (Hpre : verifier st = |(true, st)]), 
verifier_inv st’. 


Theorem veri fier_well_formedness_and_safety proves both Theorem 1 and 
Theorem 2. The verifier has the following properties: i) no assumption (every 
state is well-formed); ii) never crashes (safety); iii) never modifies the VM state. 
In addition, the Coq theorem verifierimply_inu states that if the verifier 
returns true, verifier_anv holds. Considering that the verifier’s proof and syn- 
thesis models are exactly the same, the simulation relation R, C st, x st, 
required by Theorem 3 is equality. CertrBPF-verifier reuses the Clightlogic to 
prove the simulation proof of its C implementation. 


9 Evaluation: Case Study of RIOT’s Femto-Containers 


We integrate CertrBPF as a drop-in replacement for the existing non-verified 
module optimized for size (vanilla-rBPF) in the IoT operating system RIOT to 
provide the expected femto-container functionalities [39]. 


Implementation. The proof model of the interpreter (Sect. 5) consists of 2.4k 
lines of Coq code and the corresponding isolation proof (Sect. 5.1) is more than 
4.8k lines long. The synthesis model, Sect. 6, is approx. 3.2k lines long and the 
equivalence theorem is completed by 0.6k proof code. The final step (Sect. 7) 
includes 10.8k translation validation proofs between the Gallina specification and 
the extracted Clight model. As for the CertrBPF verifier (Sect. 8), the proof and 
synthesis models sport 1.4k lines of Coq code. The corresponding proofs are more 
than 0.5k long and the last simulation proof is about 8.3k long. In addition, the 
Clightlogic implementation has 4.4k lines of Coq code. 


Experimental Evaluation Setup. Our experimental objects are the original non- 
verified rBPF interpreter (i.e., vanilla-rBPF) and the automatically extracted 
and verified CertrBPF interpreter (without RIOT’s API). We carry out our 
measurements on a selected set of popular, commercial, off-the-shelf low-power 
IoT hardware, representative of modern 32-bit micro-controller architectures and 
boards: i) Nordic nRF52840 (Arm Cortex-M); ii) Espressif WROOM-32 (Espres- 
sif ESP32); iii) Sipeed Longan Nano GD32VF103CBT6 (RISC-V). All code 
is compiled with GCC using size optimization enabled and the -foptimize- 
sibling-calls GCC option to remove all tail-recursive calls and thus bound 
the stack size. This is critical to our isolation theorem as it relies on the implicit 
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CompCert assumption that the stack cannot overflow. To avoid a possible mis- 
match between the CompCert semantics and the GCC semantics, we also pass 
the following options: i) -fwrapv, -fwrapv-pointer mean that both signed and 
pointer arithmetic wrap around according to the two’s-complement encoding; ii) 
-fno-strict-aliasing means that there is no aliasing assumption. 


Results. We first evaluate the memory footprint of the CertrBPF interpreter, 
compared to vanilla-rBPF. We measure i) Flash size: all read-only data, includ- 
ing the actual code; ii) Stack: the approximate ram used for stack space; iii) Con- 
text: the static RAM. In terms of Flash, our measurements show that CertrBPF 
actually reduces the footprint by 47% on RISC-V and by 35% on ESP32, and a 
10% decrease on Cortex-M. In terms of stack requirements, CertrBPF reduces 
the footprint by 33% on Cortex-M, by 22% on RISC-V, and by 4% on ESP32. 
The context memory, however, increases from 92B to 144B on all platforms. 
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Fig. 4. Time per instructions on the Cortex-M4 platform 


Next, we micro-benchmark the performance of core operations: single instruc- 
tions from the arithmetic logic unit (ALU), for memory access (MEM) and 
branch instructions, with a mix of register and immediate value for the operands, 
Fig. 4. These results are averages over 1000 single identical instruction calls with 
a single return statement to make the application exit. 

Finally, we benchmark the performance of actual IoT data processing, hosted 
in a femto-container with RIOT running on our selected hardware. In this use 
case, a sliding window average is performed within the femto-container, on avail- 
able sensor data points. Figure 5 shows the performance we measured depending 
on the size of the window. We use this as blueprint for computation load scaling. 
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Fig. 5. Sliding window average on Cortex-M, ESP32, and RISC-V. 


Key Take-Away. We observe that CertrBPF generally decreases the memory 
footprint. One reason is that calls to the RIOT API are currently not sup- 
ported by CertrBPF. We observe, Fig. 4, that the execution slow-down is acute 
for Branch instructions, on Cortex-M. However, on all other platforms (RISC-V, 
ESP32 and Cortex-M), our micro-benchmarks show that most instructions enjoy 
speed-up with CertrBPF compared to vanilla-rBPF. This behavior is also visi- 
ble in our sensor data processing benchmark, Fig.5, where CertrBPF performs 
better than vanilla-rBPF on three platforms. All in all, CertrBPF gains both 
security and reduces memory footprint as well as execution time. 


10 Related Works 


Methodologies for Systems and Compilers Verification. The verification of com- 
pilers [18], static analyzers [16], and operating systems [12,17] have been the 
subjects of vast development and verification efforts due to the sheer code size of 
the artifacts at stake. These full-scale case studies gave rise to new strategies and 
methodologies to address the challenge of verifying large software. One such app- 
roach is Cogent [35] which aims at developing verified applications on top of the 
SeL4 [17] micro-kernel. Cogent [35] consists of a functional language with linear 
types to specify source programs and produces C code with Isabelle/HOL proof 
information. It provides a framework to prove that the extracted C code refines a 
high-level Isabelle/HOL functional correctness specification in the Isabelle/HOL 
proof assistant. Our method differs from co-specification in Cogent in that it is 
direct: it directly translates Coq specifications into C code and performs the 
end-to-end verification in Coq. CertiKOS [12] uses a multi-layered, refinement- 
based, and modular definition of a micro-kernel from its low-level memory model 
to its user-level interface and services. It is adopted in SeKVM [22], a layered 
Linux KVM hypervisor architecture for multiprocessor hardware. The CompCert 
project [18] adopted this “divide-and-conquer” strategy to decompose the ver- 
ification of a full-scale ANSI C compiler into that of its successive transforma- 
tions from source program to machine code, compositionally verifying each of 
the translation steps bisimilar. Its related static analyser, Verasco [16], employs 
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static analysis of CompCert C code using a verified core abstract interpreter with 
composable abstract domains. Our problem statement is methodologically sim- 
pler: to build a safe and small VM that interprets rBPF virtual instructions on 
networked micro-controllers. We choose the radical approach of proof-oriented 
programming (a la Low” [34], Vale [5]) to prove an rBPF interpreter embedded 
in Coq correct and to directly extract verified code from its definition. 


Background on BPF and Its Verified Implementations. Mogul et al. [26] intro- 
duce a stack-based virtual machine to interpret packet filters into the BSD ker- 
nel that BPF extended to 32-bit instructions. BPF gained adoption in the Linux 
community and became eBPF (extended BPF), a virtual 64-bit RISC-like archi- 
tectures. To our knowledge, verification of BPF runtime systems has mainly 
focused on JIT translation for operation on micro-kernels. Myreen [28] verifies a 
JIT compiler targeting x86 for a stack language using the HOL4 proof assistant. 
The generated code only preserves the semantics of the source code but does 
not ensure any isolation property. Porncharoenwase et al. [33] use CompCert to 
extract an OCaml translator from BPF to assembly code, verified using the proof 
assistant Coq, using the OCaml runtime, an assembler, and a linker as TCB. Van 
Geffen et al. [11] present an optimized JIT compiler for Linux BPF with auto- 
mated static analysis onboard, assuming offline verification using the Linux BPF 
verifier as TCB. For field deployment on networks of micro-controllers (IoT), all 
the above approaches would require a trusted, offline BPF verifier and, addition- 
ally, a secure upload protocol to sign verified scripts and perform authenticated 
uploads on target devices, which motivates our approach to use a fault-proof 
virtual machine instead. 


Background on Verified Virtual Machines. Lochbihler [23] presents the verified 
implementation of a virtual machine modeling the semantics, memory model 
and byte-code semantics of Java, all by using the proof methodology of trans- 
lation validation [18,32]. Desharnais and Brunthaler [7] propose the formal ver- 
ification of an optimized and secure Javascript interpreter in Isabelle/HOL. Its 
proof methodology is based on concepts of bisimulation. The interpreter targets 
optimal security and run-time performance. To target MCU devices, our rBPF 
VM instead seeks optimal run-time memory footprint, to support the expected 
capability of dynamically running several isolated services on a small device with 
shared memory. Zhang et al. [40] present a different and ambitious workflow using 
the deductive programming environment Why3 [9] to specify a virtual machine 
of Etherium byte-code (EVM) and verify functional correctness of smart con- 
tracts against it. The EVM is extracted to OCaml binary code, yielding a TCB 
consisting of the OCaml runtime and the implementation of Eth’s protocols. 


Background on Converting Gallina Programs into Executables. Just as the proof- 
oriented approach advocated by dependently-typed functional languages like F* 
mentioned in Sect. 2, there are various alternatives to Ox for extracting executa- 
bles from Gallina programs. To begin with, Coq comes with a builtin extraction 
mechanism [21] that generates OCaml, Haskell or Scheme. This path has a rather 
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large TCB (Coq extraction and a compiler). CertiCoq [1] is an ongoing project 
aiming at generating CompCert C code from Gallina using a specific IR and 
several passes. Once this effort is completed, it will allow one to rely on a small 
TCB. uf [27] is another tool to compile Gallina to C. It considers a carefully 
chosen subset of Gallina to tackle the tricky issue of verifying the reflection of 
Gallina into an AST. Both CertiCoq and Œuf, however, require a garbage col- 
lector and define how Coq inductives are represented at runtime. Codegen [36] 
converts Gallina to C with the goal of maximizing performance by, e.g., allow- 
ing the user to control how Coq values are represented at runtime. Rupicola 
[31] considers an original and promising approach which regards a compiler as 
a partial decision procedure: it consists of a proof search procedure, which may 
fail, or else exhibit a target program in bedrock2 (a C-like low-level language 
AST embedded in Coq) with a proof of equivalence. It has, at present, only been 
tested for small algorithms. We chose to use Ox for its simplicity and because it 
does not increase our TCB. It shares with Codegen the capability to configure 
the representation of values. Unlike Codegen, it produces C code that is struc- 
turally identical to source code. This direct and traceable translation simplifies 
the verification of generated code w.r.t. source programs, and facilitates source 
program optimisations. 


11 Conclusion and Future Works 


This paper uses a refinement methodology to directly derive a verified C imple- 
mentation of rBPF, the implementation of BPF hosted by the RIOT operating 
system, from a Gallina specification in Coq. All the refinement steps are mechan- 
ically verified using the Coq proof assistant to minimize the TCB. We prove our 
rBPF virtual machine to isolate software faults and not to produce runtime 
errors. Performances are at par with the vanilla rBPF implementation in RIOT. 

Our future works aim at instantiating our proof workflow to a (fault-isolating) 
JIT compiler, one challenge being that Linux’s approach of using a verifier will 
not be feasible on resource-constrained devices, and another being that certain 
operations might only be expressible in assembly code. This calls for further 
studies on ways to substantially improve the efficiency of our VM. 


Acknowledgments. The authors wish to thank the anonymous reviewers for their 
feedback and suggestions. This work is partly funded by Inria Challenge RIOT-fp, the 
ANR/BMBF project TinyPART, and the H2020 project Sparta. 
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Abstract. Cache-coherence protocols have been one of the greatest 
challenges in formal verification of hardware, due to their central com- 
plication of executing multiple memory-access transactions concurrently 
within a distributed message-passing system. In this paper, we introduce 
Hemiola, a framework embedded in Coq that guides the user to design 
protocols that never experience inconsistent interleavings while handling 
transactions concurrently. The framework provides a DSL, where any 
protocol designed in the DSL always satisfies the serializability prop- 
erty, allowing a user to verify the protocol assuming that transactions 
are executed one-at-a-time. Hemiola also provides a novel invariant proof 
method, for protocols designed in Hemiola, that only requires consider- 
ing execution histories without interleaved memory accesses. We used 
Hemiola to design and prove hierarchical MSI and MESI protocols as 
case studies. We also demonstrated that the case-study protocols are 
hardware-synthesizable, by using a compilation/synthesis toolchain tar- 
geting FPGAs. 


Keywords: formal verification - cache coherence - proof assistants 


1 Introduction 


Programming languages and compilers help engineers describe each system at 
the most expedient level of abstraction. The process of experimenting with new 
languages is most familiar from the software world, but hardware designers also 
benefit from it. Of course, Verilog and VHDL themselves are significant steps up 
from direct circuit descriptions. Some families of hardware languages go further, 
in roughly the sense that, say, Java goes further than C, providing abstrac- 
tions that simplify reasoning about modular design. The rule-based hardware 
languages like Bluespec [23] allow hardware designers to imagine that system 
modules take turns executing local atomic state-change rules, with no concur- 
rency. In reality, parallel execution is essential for performance, and compilers 
for these languages rely on static analysis to extract parallelism soundly. 
Roughly speaking, a rule in Bluespec and its relatives must run within a 
single clock cycle. What happens when we want to simplify reasoning about 
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longer-running processes? A prime example is a cache-coherence protocol. A 
memory hierarchy is a distributed system, with many caches communicating 
through explicit message passing, requiring at least as many clock cycles as the 
longest dependency chain of message exchanges. The logic is notoriously difficult 
to get right. One reason is that many memory requests from processor cores may 
be handled simultaneously. One cache may be working on one request, while a 
neighboring cache is working on a different request. Might there be abstractions 
that remove this complication from the hardware designer’s thought process, 
much as Bluespec allows the same designer to pretend that different hardware 
components do not execute state-change logic in parallel? 

We answer affirmatively in presenting Hemuola, the first hardware-description 
language that presents cache-coherence transactions as if they run atomically, 
while realizing the usual parallel performance gains. We define a transaction as 
all the activity within the memory system in response to a single request from 
a processor core or other user of the memory. One request may trigger a flurry 
of activity in the protocol, but the designer may at least pretend that no other 
request is active in the same period. 

The foundation of Hemiola is identifying commonalities across practical 
cache-coherence protocols and embodying them in a domain-specific language 
(DSL). We fix a notion of node hierarchy and message-passing channels, enu- 
merating rule templates capturing relevant communication patterns. Protocols 
are then described in terms of single-cycle, per-cache rules, each instantiated 
from a template. Crucially, a locking discipline is built into the language and 
handled automatically by the templates. 

In addition to the DSL, Hemiola provides formal tools significantly easing 
verification of all cache-coherence protocols designed in it. The DSL is embedded 
in the Coq proof assistant and has a fully machine-checked proof of soundness, 
formalized as serializability: any state invariant preserved with one-transaction- 
at-a-time execution is also preserved in true parallel execution. The serializability 
property is once-and-for-all at the language level, freeing protocol designers from 
needing to reason about interleavings among transactions. In a sense, our work 
takes techniques that have been used for per-protocol verification and lifts them 
to apply at the level of a DSL, so that no verification effort need be expended 
on them per-protocol. 

To sum up, the contribution of this paper consists of two parts!: 


— We discover a set of topology and lock conditions that ensures serializability, 
extracted from usual cache-coherence protocol designs. We then identify a 
DSL, where every protocol defined in this language ensures serializability 
by-construction, backed up with mechanized Coq proof (Sect.3). Lastly, we 
formalize how serializability helps prove global invariants, by using the novel 
notion of predicate messages in distributed protocols (Sect. 4). 

— We provide the complete correctness proofs of hierarchical cache-coherence 
protocols (Sect.5) using Hemiola. Our case studies are the first complete 


1 Our framework and case studies are available as open source: https://github.com/ 
mit-plv/hemiola. Choi’s dissertation [9] goes into additional detail. 
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mechanized proofs that share a large segment of reusable proofs across vari- 
ous cache-coherence protocols. We also demonstrate that the case-study pro- 
tocols are hardware-synthesizable, by using a compilation/synthesis toolchain 
in Hemiola (Sect. 6). 


2 A Motivating Example 


Before introducing our proposed method to design and verify cache-coherence 
protocols, we provide a simple motivating example to explain the typical chal- 
lenges and how we suggest to handle them. For simplicity, in this section, we 
will consider a protocol handling only a single memory location. We will see it 
is still nontrivial to design a correct protocol. 

The overall goal of cache coherence is to preserve coherence among multiple 
candidate values in a memory subsystem. In other words, if the system is coher- 
ent, then it should behave like an atomic memory. Figure 1 shows caches and 
network channels for a directory-based MSI protocol. There are three caches (P 
Cı, and C2), and each of them has its own status (Modified, Shared, or Invalid) 
and data (v). In this MSI protocol, a cache can read/write the data with the M 
status, only read with S, and cannot read/write with I. The parent P addition- 
ally has a data structure called a directory to track the statuses of the children. 
For example, a directory might be Si; 2), meaning that both Cı and C2 have S 
status, in some logical snapshot of state. 

Caches communicate through ordered channels, shown as (>) in the figure. 
Child caches (C and C2) have channels to receive and respond to requests from 
processor cores. There are three types of channels between a parent and a child: 
one channel is for parent-to-child messages, and the other two channels are for 
child-to-parent requests and responses. It is natural to wonder why two separate 
child-to-parent channels are required; we will see the reason very soon. 

Figure 1 also depicts some example state-transition cases depending on the 
cache statuses. In this setting, all the caches run concurrently by repeatedly 
executing rules that make atomic, local state transitions. A rule may take some 
messages from input channels, perform a state transition, and put messages in 
output channels. A rule may also have a precondition, blocking use of that rule 
when the precondition does not hold. 
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A rule execution @ is a case where a child C4 takes a request [a] rqWr from a 
processor to write data, but it does not have M status and thus further requests 
to the parent ([b] rqM) to get the permission. At this moment, in many practical 
cache-coherence-protocol designs, C1 changes its status to a transient state SM 
to record its current status (S) and the next expected status (M) and to make 
any further processor requests stall. 

Due to the concurrent execution of caches, we might have another rule exe- 
cuted at the same time. © is executed concurrently with ®©, where Ch also takes 
a processor request [e] rqWr and sends [F] rqM to the parent as well. Since © and 
@ happened at the same time, the parent P needs to decide which request to 
deal with. Suppose that it decided to handle [b] rqM first. 

© presents the next execution by P, taking the input message [b] rqM and 
making an invalidation request ([¢] rql) to the other child Co to change its status 
to I. This request is required, since when a child has M, the others should not be 
able to read/write the data. The parent, at this moment, changes its directory 
status to a transient state to disallow any other requests from the children (e.g., 
f] rqM), since otherwise it will handle two rqM messages simultaneously, which 
might lead to an incoherent state — two M statuses in the caches. 

Lastly, ® shows the case that C2 handles the invalidation request ( 
number of corner cases should be handled carefully in this step: 


fe) 


rql). A 


— Since Ca requested [F] rqM, it has a transient state SM when [q] rql arrives. It 
should still be able to handle this invalidation request even in the transient 
state (while any processor requests stall). In this case, C2 accepts [c] rql and 
changes its transient state to IM. We see that transient states should be 
fine-grained enough to distinguish which requests to handle. 

— Due to the existence of [f] rqM, if we had a single channel from a child to a 
parent, a deadlock would occur. P cannot take [F] rqM since it is in a transient 
state after making an invalidation request. It cannot take [d] rsl as well, since 
the response is not at the head of the ordered channel. This case shows the 
necessity of having multiple channels between a child and a parent. 


A so-called three-channel system has been widely used and regarded as a 
good choice to make the design correct and live [33,34]. While there are other 
possible correct topology and network settings, the cases shown in Fig. 1 at least 
demonstrate that it is nontrivial to construct one of them. Note that the three- 
channel system is logical in the sense that the actual hardware implementation 
may use various hardware components that can simulate the requirements. 

In terms of making a protocol design correct, transient states, topology, 
and network settings contribute to make interleavings correct. Considering the 
sequence of rule executions [©; ©; @] (in red) as an execution flow — we will later 
call it a transaction — to handle a processor request [a] rqWr, we see that the other 
execution flow (in blue) could not happen after @, which is for another proces- 
sor request [e] rqWr. As explained above case-by-case, proper transient states and 
network channels made [f] rqM stall. This mechanism to ensure safe interleav- 
ings is called noninterference [11,18], which ensures that no other transactions 
spuriously affect state transitions by an ongoing transaction. 
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Hemiola in a Nutshell. If transient states, proper topology, and network 
settings are essential for designing a correct protocol, can we craft a DSL where 
only conformant protocols are expressible? 

That is exactly what we did with Hemiola. The Hemiola DSL helps designers 
design cache-coherence protocols in a safe way. Instead of requiring designers to 
use transient states coupled to a protocol, we discover general stall conditions 
that by themselves ensure noninterference and form those conditions as con- 
ceptual locks. The stall conditions are extracted and abstracted from the usual 
transient states, so they can apply to practical protocols. 

For instance, a designer may write a rule for © without any DSL support 
like the left rule in the following code: 


1| system memoryMSI { 

2| cache C1 { 

3 state status: MSI, value: valueT, in_transition: TrsMSI 

4 ian 

5 // Without any DSL support | // Using the Hemiola DSL 
6 rule getMRqUpUp { | rule getMRqUpUp from template rquu { 
7 msgIn = procToC1.deq(); | receive rqWr(); 

8 assert (msgIn.id == rqWr); | assert (status == S); 
9 assert (!in_transition) ; | send rqM(); 

10 assert (status == S); | } 

11 in_transition <= SM; | 

12 ciToPRq.enq({id: rqM, val: 0}); } | 

13] } } 


Note that a designer has to find proper input/output channels (procToC1 and 
c1iToPRq) and check/set a proper transient state (in_transition) in order to define 
the rule. 

On the other hand, the left rule can be written more easily by using the 
Hemiola DSL as the right rule. Instead of using explicit channels and transient 
states, the right rule just uses the rquu rule template (where rquu stands for 
request-up-up). The rule templates employ proven-safe network structures and 
automatically check/set/release associated locks, so users can design protocols 
without worrying about incorrect use of network channels, locks, etc. 


3 The Hemiola Domain-Specific Language 


As explained in Sect. 2, in designing a cache-coherence protocol, it is nontrivial 
to make concurrent execution of transactions correct. In this section, we intro- 
duce the Hemiola DSL to ease that burden. While conventional approaches deal 
with transient states directly to derive noninterference per-state, the Hemiola 
DSL limits protocols to satisfy abstract conditions that can guarantee noninter- 
ference by-construction. The conditions have already been mentioned in Sect. 2 
— network topology and locking mechanisms extracted from transient states of 
practical cache-coherence protocols. 


Notations. An overline (e.g., 1) denotes a list. [] and (J + e) denote nil and 
single-element append, respectively. Ðl flattens the list of lists / with repeated 
concatenation. (h + l2), (l — l2), and (l # l2) denote append, subtraction, 
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and disjointness of lists, respectively. We use the same operation (+) for the 
single-element and general append. Regarding a list of key-value pairs as a finite 
map, we override notations for lists. For example, (M + T) updates multiple 
key-value pairs in a finite map M. Moreover, we overload the same operation 
(M +(k,v)) for a single update for simplicity. (s.fd) is used as a shorter notation 
for (List.map (As. s.fd) 5). We use (-) to denote a struct and use a name (e.g., 
s.fd) to access a field value. 


3.1 Syntax 


The Hemiola DSL is similar to well-known rule-based hardware-description lan- 
guages (HDLs) such as Bluespec [23], Kami [10], and Kéika [4]. A notable dif- 
ference is that rule descriptions are restricted by predesigned rule templates to 
avoid spurious interleavings among transactions. 

A system S::=(C,iin, irq, irs) is the biggest unit of the language; it con- 
sists of caches (C) and channel indices for internal messages (iin) and external 
(processor) inputs(i;q) /outputs(7i,;). A cache C ::= (i, Sinit, T) consists of its index 
(unique within a system), an initial state (Sinit), and rules (7). A rule (r) makes 
state transitions within the cache, and it is always defined by one of the rule 
templates provided by the language. 

Each rule template must be instantiated with a rule index (should be unique 
within a cache), a precondition, and a transition function, where the types of the 
precondition and transition vary by template. A precondition of a rule template 
usually takes input messages and a (partial) current cache state and decides 
whether the rule can be executed or not. A transition function takes the same 
arguments in general but returns the next cache state and output messages. 
Neither state transition nor input-messages consumption happens if the precon- 
dition does not hold. We will introduce the detailed rule-template forms in the 
next section (Sect. 3.2). 

A message m::= (ty, id, val) is composed of a Boolean message type (request 
or response), a message ID (effectively from an enumeration of message kinds), 
and a value. We use value to refer to the set of legal contents of memory 
addresses. A pair im::= (i,m) is used sometimes to represent a message m in a 
channel with an index i. 


3.2 Rule Templates 


The Hemiola DSL follows syntax and semantics of traditional rule-based HDLs, 
but the major difference is that Hemiola further restricts the way of describing 
rules, which itself guarantees noninterference among transactions. 


Topology and Network Requirements. First of all, Hemiola requires that 
the caches in a given system form a tree topology. Most cache-coherent memory 
subsystems follow this topology, where leaf nodes correspond to L1 caches, and 
the root corresponds to the main memory. A child and its parent in the tree 
communicate using the three channels shown in Sect. 2. 


Hemiola: A DSL and Verification Tools for Cache-Coherence Protocols 323 


P P> sets a downlock 
rq2# “sas when sending rqs to children. 
Pi 


ya P, sets an uplock 
when sending rq2 to P2. 


C 


Fig. 2. Locking mechanism in Hemiola 


Note that the topology and network settings are required logically; the actual 
hardware implementation may use various hardware components (e.g., finite- 
capacity FIFOs or buses) that can simulate the requirements. 


Locking Mechanism. We saw in Sect.2 why transient states are required 
to ensure noninterference in cache-coherence protocols. Revisiting the issue 
described in Fig.1, a child should be able to handle an invalidation request 
from the parent even if it is in a transient state (SM), and after handling the 
request it changes its transient state to IM. 

Hemiola supports a locking mechanism reflecting this discovery; the locking 
is more general in that the framework looks at whether the message is from the 
parent or a child. This mechanism is still enough to describe practical cache- 
coherence protocols and sufficient to ensure noninterference. 

In particular, Hemiola employs two kinds of locks: uplocks and downlocks. We 
say a cache is uplocked (or downlocked) when it holds an uplock (or downlock), 
respectively. Figure 2 depicts the locking mechanism in Hemiola. An uplock is 
set when a cache (P; in the figure) makes an upward request to its parent (P2); 
it is released when the cache gets a corresponding response from the parent. 
The cache cannot make any further upward requests while uplocked. On the 
contrary, a downlock is set when a cache (Pz in the figure) makes a downward 
request(s) to some of its children; similarly it is released when the cache gets 
corresponding response(s) from the child requestee(s). The cache cannot make 
any further downward requests while downlocked. 

Now every cache defined in Hemiola does not need to set transient states to 
consider all possible combinations among stable statuses. For instance, instead 
of setting a transient state SM, it is now desirable to maintain its status S and 
set an uplock to record it just made an upward request. We emphasize that 
the Hemiola locks do not enforce more restrictions on protocols than what is 
enforced by transient states; e.g., as an uplock makes certain messages like rqS 
and rqM stall, a transient state SM makes them stall as well. 

Each cache defined by Hemiola has a semantic lock state holding a lock type 
(uplock or downlock) and related messages/indices. The user, however, does 
not need to deal with this lock state while using the DSL; locks are managed 
implicitly by Hemiola. 

Note that the DSL supports design of single-cache-line protocols, and thus 
the uplock and downlock are assigned per-line. The single-line protocol is then 
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Fig. 3. Rule templates in Hemiola 


naturally extended to all cache lines using a protocol compiler that will be intro- 
duced in Sect.6. This approach is sound in terms of correctness, since a trans- 
action does not affect coherence for the other lines. 


The Nine Rule Templates. Hemiola provides a set of rule templates for 
describing protocols in a way that guarantees noninterference by-construction. 
Figure 3 presents the nine rule templates. Each diagram has the form {P} CQ] 
and arrows (representing the directions of messages; e.g., a downward arrow 
indicates messages from a parent) with circles (o for inputs and e for outputs) 
and labels representing requests (rq(s)) and responses (rs(s)). It means that the 
rule template is for a cache C, requires input messages (o) with the message 
types determined by the label, has a precondition P, performs a state transition 
Q, and generates output messages (e). The precondition and state transition 
are implicit in the sense that they are automatically checked and performed, 
respectively, whenever the rule is executed. Note that some rule templates may 
make local state transitions without any input/output messages (input/output 
messages marked with parentheses in Fig. 3). 

UL, DL, !UL, and !DL in a precondition indicate that the cache should be 
uplocked, downlocked, uplock-free, and downlock-free, respectively. UL, DL f, 
UL}, and DLJ) in a state transition indicate setting an uplock, setting a down- 
lock, releasing an uplock, and releasing a downlock, respectively. SLT annotates 
that the rule template forbids any state modification beside locking. 

The rule templates are carefully designed to avoid any spurious interleavings 
among transactions. We see a number of cases that are worth analyzing: 


— immu and rqdd show that a cache can handle a downward request even when 
uplocked. These rules do not have a precondition that the cache should be 
uplock-free. This relaxation is necessary to avoid a deadlock. 

— rsdd says that in order to handle a response from the parent, the cache should 
be downlock-free. This precondition is required to ensure noninterference. 

— rsrq forces the order of a traversal, saying that the traversal for the outer 
caches must be done before traversing the inner caches. This rule is used when 


Hemiola: A DSL and Verification Tools for Cache-Coherence Protocols 325 


im#|] imiC Sing 


SSilent: —————— SIns: = 
s>s (é, M) an, (é, M + im) 


im £|] imc M.hds imi C Sirs 


SOuts: —— 
(eM) =, (e, M — im) 


S = (C, tin, itas tes) C € S.C rEeCT 
im™s 4 C Siin U Sirqa [Ci] =c ims C M.hds 
r.p (c1, im) r.t (c1, imi®s) = (co, im°ts) 
imos i C Sin U Sirs ims. i HE im°”ts.i 
lins (Cisr i imis ima) ¢ + (C.i, c2), ) 


S M — imi”s + imouts 


SInt: 


(€, M) 


Fig. 4. Transition steps of the Hemiola DSL 


a transaction needs to traverse all the caches in the system, e.g., invalidating 
all the other caches to obtain the M status. The forced order is important to 
avoid a deadlock. 


4 Verification in Hemiola 


We have introduced the Hemiola DSL in Sect.3 and provided an intuition 
that rule templates ensure general noninterference, i.e., interleavings among any 
transactions are safe. That said, we have not yet showed how the rule templates 
guarantee such noninterference in a formal way. We also have not explained how 
noninterference eases the verification of cache-coherence protocols. 

In this section, we provide the semantics of the Hemiola DSL and the formal 
meaning of general noninterference called serializability. We then introduce our 
novel approach to proving invariants called predicate messages, which eliminates 
the burden of considering interference while proving invariants. 


4.1 Semantics of the Hemiola DSL 


A system in Hemiola follows so-called “one-rule-at-a-time semantics” [4,5, 10,34], 
i.e., any state transition by concurrent rule executions can be interpreted as a 
serial execution of rules. Thus, it is fair to consider that a state transition happens 
by executing a single rule. 


Transition Steps. Figure 4 describes the complete semantics for transition steps 
of the Hemiola DSL. The semantics for a step is presented as a judgment so = S1, 


where S is the system to execute, sọ is a prestate, sı is a poststate, and / is a 
label generated by the state transition. The state of a system (in domain S) 
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is a pair (c, M) of cache states (€) and message states (M). Cache states are 
represented in a finite map from cache indices to cache states, and message 
states are represented in a finite map from channel indices to ordered queues of 
messages. 

Rule [SSilent] represents the case where no state transition happens in the 
current step; an empty label (le) is generated in this case. From now on, we 
assume that all the input/output messages used in the step definitions do not 
share the same channel, i.e., (List. NoDupim.z). [SIns] describes the case for exter- 
nal input messages coming to the system; an external-inputs label (1j,(im)) 
is generated in this case. [SOuts] describes the opposite case, for output mes- 
sages being released to the external world, generating an external-outputs label 
(lout (im)). 

Lastly, [SInt] deals with a state transition by a rule (r) in a cache (C). 
It nondeterministically chooses a cache and a rule in the cache, checks that 
the precondition holds, and applies the transition to update the state of the 
system; an internal label (ling(C.2, r.i, imi™s, im™*S)) is generated in this case, 
which records a cache index, a rule index, input messages, and output messages. 
Note that the semantics is based on ordered channels, so messages are enqueued 
and dequeued in each state-transition case. 

The step semantics is naturally lifted to one for multiple steps, presented as 


a judgment so = sı, where I is a sequence of labels generated by executions of 

the steps in order. We will sometimes call such a sequence of labels a history. 
We say that a state s is reachable iff there is a history T such that Sinit 4 s 

holds, where Sinit is the initial state of the system S. We use a simpler notation 


S > s for reachable states. We also call such a history I legal, denoted as S +e. 
We call Z : S — P? an invariant over a system S if Z holds for all reachable 
states, i.e., Vs. (S => s) > Z(s). 


Behaviors and Correctness. A system S has a behavior |l] (denoted as S 4 
[Z|) iff Sinit = s holds, where |-| filters out silent (le) and internal (lint) labels 


so only the external parts remain. We call such a sequence of labels a trace. 
Lastly, we say that a system I (“implementation”) trace-refines another system 
S (“specification”), written as J E S, iff every trace of I is also a trace of S: 


ICSAVETYES SUE 


In order to prove trace refinement, we usually establish a simulation rela- 
tion [6] between the implementation and the spec states and prove that the 
relation is preserved over steps, and it is crucial to state and prove proper invari- 
ants of the implementation for the simulation proof. Since the invariant proof is 
indeed the most significant part of the whole correctness proof, in this paper we 
would like to focus on how Hemiola helps a user state and prove invariants. 


2 P is Prop in Coq, which can reasonbly be interpreted as Boolean in this paper. 
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Fig. 5. An example of an atomic history 


4.2 Serializability in Hemiola 


Serializability [3,28] is a celebrated notion of concurrency correctness. While 
each transaction in a system affects multiple values, serializability guarantees 
that interleaved execution of such transactions is correct in that the effect (state 
change) is the same as if the transactions were executed serially, i.e., atomically 
in some order with no interleaving. 

In order to define serializability formally, we first provide basic definitions 
of atomic histories and transactions. A history h is atomic iff it satisfies the 


predicate (¢minit a5 im?) with initial messages imi™t and live messages 
ime"4, constructed inductively by the following two cases: 


— Any singleton history with an internal label is an atomic history with its 
input and output messages as initial and live messages, respectively. 

— If his an atomic history, (h+1) is also an atomic history if 1 consumes its input 
messages from the live messages of h. The new live messages are constructed 
by subtracting the input messages and adding the output messages of | to 
the previous live messages. 


Figure 5 presents an atomic history already shown in Fig. 1. h is generated 
by executions of three rules, rı € Cy.7, ro E€ P.r, and r3 € C2.7. Rule rı takes an 
input message (1, rqWr) (from the channel with index 1) as an initial message 
of the history. Rule rz takes (3,rqM), the output message from rı. Finally, r3 
takes (8, rql), the output message from r2. Summing up all the rule executions, 
by the definition of an atomic history we get the predicate lower-right in Fig. 5. 

This example shows that an atomic history intuitively captures a transaction 
flow triggered by the initial messages. Note that an atomic history does not need 
to be completed, e.g., h in the example is incomplete in the sense that the live 
message (rsl) is not a response sent to an external channel. 

We call an atomic history (imim't as ime?) a transaction if its initial 
messages are external requests (imi™*.i C S.irg); we denote it as S /h. 

With a clear notion of transactions, we can now easily define sequential histo- 
ries and serializability. A history h is sequential iff the history is a concatenation 
of transactions: 
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Fig. 6. Interference breaks a predicate message 


C.st £ (s.2)[C.i].st 
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A legal history h is serializable in the system S iff there exists a sequential 
history that reaches the same state: 


= hse 
Serializable S h Vs. Sinit = s > J hseq. Sequential S hseq A Sinit = s. 


A system S is serializable iff every legal history is serializable: 


Serializable S Ê Yh. Serializable S h. 


4.3 Predicate Messages 


Now we discuss how to exploit our notion of serializability: how does it help prove 
global invariants of a system? In proving the correctness of a cache-coherence 
protocol, it is very common to state an invariant like “an important property 
holds whenever the system includes a certain message in a certain channel.” We 
call such an invariant a predicate message, giving the intuition of messages that 
logically carry predicates that must be true so long as those messages remain 
in play. More formally, S + im{P} £ Vs. (S > s) — im € s.M — P(s), where 
s.M refers to the message state of the system. We will write just im{ P} when 
the system S is clear from context, also often using a shorter version id{P} 
(considering only messages with a given ID) when it is not ambiguous. 

Figure6 presents an example of a predicate message. When a child Cù is 
about to handle a response message rsM, which is a permission to change the 
cache status to M, we expect the parent and the other child C4 to have I status 
(like {C,.st = I A P.st = I} in the figure). However, between the sending of that 
message and receipt by C2, the predicate may be broken by another transaction; 
for instance, the predicate no longer holds if a state transition happens by rı € 
Cı, which takes another (5,rsM) and updates the status of C4 to M. 

Investigating this corner case carefully, we find that actually no two differ- 
ent rsM messages can be in the system at the same time. It implies that now 
the predicate message for rsM should have a much-more-complicated form, which 
considers all possible noninterference cases. The complete desired predicate mes- 
sage for (8,rsM) will then look like: 
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Cy.st =I A Pst =I A // The original predicate 
// Noninterference with another transaction to get M from Cy 
(7,rsl) €s.M A (5,rsM) € 5. MA 


--// More noninterference cases will be required 


(8, rsM) 


It is indeed a burden to consider all possible interleavings per predicate mes- 
sage. We would not have faced such a complication if we could ensure that no 
other transactions interfere while handling a transaction. Serializability guaran- 
tees exactly that simplification, and Hemiola provides a way of designing and 
proving predicate messages in the simpler form, not taking any interference into 
account. 

Our novel approach to employing predicate messages in atomic histories 
begins with formalizing the notion of atomic invariants. We say that T4 : 
IM x S — P is an atomic invariant iff T4 (imo, 81) holds for any atomic history 


h with so 3 sı and im; ee iMo. 

Figure 7 shows an example of predicate messages defined in an atomic history, 
formalized as an atomic invariant. An atomic invariant Z4 is a conjunction of 
clauses (im € imo — P(s)), each claiming that the predicate P holds when im 
is in the live messages imo. We can prove that the atomic invariant Z4 holds by 
induction on state-transition steps through the atomic history in the figure: 


— The initial step of the atomic history is the one by rı. The live messages are 
[(4, rsl)]. Since rı changes the status of C to I, it is straightforward to prove 
Ta. 

— The next step is by rp, and at this point the live messages are [(8, rsM)]. B 
the induction hypothesis, we obtain the predicate message (4, rsl){C1.st = I}. 
Since r, changes the status of P to I, we can prove the predicate for (8, rsM). 

— The last step is by r2, and the live messages are [(10, rsWr)]. Za trivially holds 
here since it does not contain any predicate for (10, rsWr). 


Note that the invariant proof was straightforward since no other state transitions 
interfere with an atomic history. 
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How do atomic invariants help prove conventional invariants? If the system 
S is serializable, by definition, for every reachable state there is a sequential 
history that reaches the same state. Since the sequential history is a concatena- 
tion of transactions, an invariant can be proven by showing that any transaction 
preserves it. 

Since a transaction is an (external) atomic history, we can make use of cor- 
responding atomic invariants. In other words, we can employ both convention- 
al/atomic invariants (Z and Z4) to prove the ones for the next state (5,41): 


La (mi, si) \Z(8i) > (La (Mipi, Si+1) A Z(5i41))- 


For instance, in proving a cache-coherence protocol, we usually want to have 
an invariant claiming that at most one node of the system has M status at a 
time. The predicate messages defined in Fig. 7 will play a crucial role here, e.g., 
the one for (8, rsM) says that Cı and P both have I status, which means that the 
state transition by (r2 : C2.st — M) preserves the invariant. We will see more 
comprehensive uses of predicate messages in our case studies (Sect. 5). 


4.4 Serializability Guarantee by the Hemiola DSL 


The biggest contribution of the Hemiola framework includes the serializabil- 
ity proof. The highest-level theorem simply claims that use of good topology 
(OnTree S t) and the rule templates (GoodRules S t) guarantees serializability: 


VS,t. OnTree S t A GoodRules S t — Serializable S. 


In the proof we used a well-established technique called commuting reduc- 
tions [15], showing that any interleaving transactions can be serialized by per- 
forming a finite number of reductions. Interested readers are referred to Choi’s 
dissertation [9], which describes more details of the proof. 


5 Case Studies: Hierarchical MSI and MESI Protocols 


In this section we explain how we designed, specified, and formally proved the 
correctness of the following three hierarchical cache-coherence protocols: inclu- 
sive/noninclusive MSI protocols and a noninclusive MESI protocol. Each pro- 
tocol is parameterized by a tree that decides the topology of the memory sub- 
system. In other words, whenever we instantiate the tree parameter, we get a 
cache-coherence design and its correctness proof for free. 

The protocols are directory-based and support arbitrary evictions. The inclu- 
sive MSI protocol requires back-invalidation to maintain the cache-line inclu- 
sion [30]. The noninclusive protocols employ the noninclusive-cache inclusive- 
directory (NCID) [38] structure to optimize cache space. 

We will introduce common points among our case-study protocols. Particu- 
larly, we focus on how predicate messages are used (introduced in Sect. 4.3) to 
ease the invariant proofs required to prove protocol correctness. More details 
about the correctness proofs are provided in Choi’s dissertation [9]. 
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5.1 Cache States 


A cache state consists of a status, a value, a directory, and a Boolean called an 
ownership bit. A status is either M, E, S, or I. The MESI protocol applies further 
optimizations to the MSI protocol: if a cache line has E status, then the line is 
exclusive to the cache but also clean. 

A directory contains a status of its children called a directory status and a 
list of child-cache indices that have the directory status. An L1 cache does not 
have a directory since it has no children. 

The ownership bit decides whether the cache is responsible for writing the 
value back to the parent when evicted. The ownership bit intuitively constrains 
which caches can have valid status; we will see how this intuition is formalized 
as an invariant in Sect. 5.3. 


5.2 Protocol Description with Rule Templates 


We present a number of rule descriptions, used in our case studies, that employ 
the rule templates provided in Hemiola. Each rule template is defined in Coq, 
taking in several parameters and generating a rule. We exploited Coq’s notation 
mechanism to define each rule template compactly. 


1] rule 11GetMRqUpUp from template rquu { 
2| receive rqWr(); 

3 assert (status != M); 

4| send rqMQ); 

5 


The above code presents an actual rule definition in an L1 cache, starting with 
an invocation of a particular rule template rquu, which takes an upward request 
(to the cache) and sends a further request to the parent. This rule receives a 
message with the ID rqwWr from the processor core? to get a write permission. 
This rule template also requires to write down the precondition (assert) and 
the output message (send). In this example the cache simply forwards rqM to the 
parent. As explained in Sect. 3.2, the rquu rule template does not allow any state 
transition except locking — the template automatically sets an uplock. 


1] rule 1iDownIRsUpDownM from template rsud { 
2 receive downRsI(); 

3| hold {rsbTo, rqM()}; 

4 status <= I; 

5 dir <= M [rsbTo]; 

6 owned <= false; 

7 send rsM(); 

8 


} 


The above rule presents another case that sends the response to the child who 
requested rqM. Template rsud says that the rule takes responses from children 
and responds back to the original child requestor. The rule receives the response 
message with the ID downRsI. In order to execute this rule, the cache should hold 


3 Tt is a rule defined in an L1 cache, thus an upward request is from the core. 
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Fig. 8. Use of predicate messages in the case-study protocols 


a downlock containing the index of the original requestor (rsbTo) and the request 
message with the ID rqM, acting like an assertion for the lock state. 

As a state transition, this rule sets its status to I, sets the directory status to 
M by adding the requestor, and sets the ownership bit as false since the requestor 
will make the value dirty after it obtains M. It also sends a response (rsM) to the 
requestor. Lastly, the downlock is released automatically and implicitly by the 
rsud rule template. 


1| rule 1iGetSImmME from template immd { 
2 receive rqS() from cidx; 

3 assert (status == E || status == M); 
4 assert (dir.status == I); 

5 status <= I; 

6 dir <= E [cidx]; 

7 send rsE(value) ; 

8 


The above rule is for the MESI protocol, fired when an intermediate cache 
gets a request from a child to read the data, while the parent has status E or M. 
In this case, instead of responding with rss, the cache sends rsE to provide E. 
Once the original requestor obtains E status, it can both read and write. 


5.3 Invariant Proof Using Predicate Messages 


Now we present how predicate messages (introduced in Sect.4.3) are used to 
prove a nontrivial invariant required for all of our three case-study protocols. 

Figure 8 shows a coordination between predicate messages and conventional 
invariants. Suppose that an L1 cache (shown as L; in gray in the figure) requested 
to the parent to get the M status. When it finally handles the response rsM, it 
should know all the other caches (except itself) have been invalidated to prove 
the desired invariant about M (denoted as Lı.st = M — Invalid (Ac. c 4 L)). 
This proof case can be supported using the predicate message for rsM, stating 
Invalid (tr~! (C)) (the caches outside of the subtree rooted to C are invalid) when 
the message goes to C. Since Lı is a leaf node in the tree, it is trivial to prove 
Invalid (tr~+ (L1)) > Invalid (Ac. c # Lı), so we see an example of a predicate 
message helping prove a conventional invariant. 
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Figure 8 also shows another coordination to prove a predicate message. When 
a child C; sends the invalidation response rsl, it should know that all the caches 
inside the subtree of C; have been invalidated (denoted as Invalid (tr (C;))). 
When the parent P subsequently handles the responses, it responds with rsM to 
the original requestor (Co in the figure), requiring to prove Invalid (tr~' (Co)), 
the predicate message for rsM. 

While P also changes its status to I in this state transition, how do we infer 
that the caches outside P have already been invalidated, which is required to 
prove the predicate over rsM? In this case, we should know that 1) P has the 
ownership bit true (from a simple cache-level invariant of P) and 2) the caches 
outside of a cache with ownership bit set should have I status (denoted as 
P.owned = T — Invalid (tr~* (P))) as an invariant. Combining all the predicates 
and the state transition by P, we can prove the next predicate message for rsM 
to the original requestor Co. 


6 Compilation and Synthesis to Hardware 


So far we have dealt with cache-coherence protocols for a single line. In order to 
build a hardware-synthesizable multiline implementation, we developed a com- 
piler that takes a single-line Hemiola protocol and generates a multiline imple- 
mentation described in Kami [10]. 

Kami is a hardware formal-verification framework, where its own HDL and 
proof tools are defined in Coq, allowing users to design, specify, verify, and syn- 
thesize their hardware components. Since Kami already has a hardware-synthesis 
toolchain, we can just compile a Hemiola program to Kami and use the toolchain 
to run it on FPGAs. 


6.1 Compilation of Hemiola Protocols 


The compiler uses prebuilt hardware components described in Kami. One of 
them is NCID [38], whose interfaces include asynchronous read and write of 
the line status and value. Another prebuilt component holds a finite number of 
miss-status holding registers (MSHRs), whose abstract interface includes regis- 
tering, updating, and releasing MSHRs with respect to their types (uplock or 
downlock) and locking addresses. The compiler also takes a cache configuration 
as an argument to set the capacity of a cache, the number of MSHRs, etc. 

One of the biggest differences between a source Hemiola protocol and the 
target Kami implementation is that the target accesses multiple lines asyn- 
chronously. In the source protocol, a single-line value is read (or written) imme- 
diately, whereas in the target the value is accessed first by making a read (or 
write) request to a cache and next by handling the response. In order to optimize 
such line accesses, the compiler uses a prebuilt pipeline to deal with multiple line 
accesses in parallel. 
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6.2 Synthesis of Hemiola Protocols 


Once we have obtained a multiline cache-coherence protocol implementation 
from the compiler, we can use Kami’s synthesis toolchain to transliterate it to a 
Bluespec [23] implementation and synthesize it to load on an FPGA. 

Before synthesis, we first evaluated two Hemiola protocols, Hemiolag 
and Hemiola3, instantiated from our hierarchical noninclusive MESI protocol 
described in Sect.5, using the Bluespec simulator. Hemiola3 is a 3-level pro- 
tocol, consisting of four 32 KB 4-way set-associative L1 caches, two 128 KB 
8-way L2 caches, and a 512 KB 16-way last-level cache. Hemiolaz is 2-level, 
consisting of four L1 caches and the last-level cache. Each line holds 32 bytes 
in all the protocols. We compared the performance with an existing Bluespec 
implementation, RiscyOO [37], featuring a 2-level inclusive MESI protocol with 
self-invalidation [30]. We set the cache sizes of RiscyOO the same as for Hemiolag. 

Figure 9 shows the performance result. We measured performance by count- 
ing the number of transactions performed in 5 x 10° simulation cycles, with 
various workloads that make random requests but mimic some amount of tem- 
poral/spatial locality of memory accesses. Though one should not draw too many 
conclusions from the precise measurements, the result shows that the Hemiola 
protocols are competitive with a practical implementation coded by hand. 

Next we synthesized the Hemiola protocols, also shown in Fig.9. We used 
Xilinx’s Virtex-7 VC707 FPGA [1] for synthesis. Each protocol uses a minimal 
clock length that can safely cover its critical path. Both Hemiolaz and Hemiolag 
stayed within the FPGA’s budget of lookup tables (LUTs) and flip-flops (FFs). 
We performed tandem verification covering over 10° memory requests for each 
protocol on the FPGA, by connecting it to a tester module that generates a 
random workload and a reference memory to check its safety and liveness. 


Performance (#trs/cycle) all-shared pair-shared ex:sh=1:1 ex:sh=4:1 


Hemiola3 0.259 0.868 0.506 0.764 
Hemiolaz 0.270 0.800 0.637 0.913 
RiscyOO 0.336 0.791 0.637 0.988 
Clock length Critical path #LUTs #FFs 
Hemiola 40 ns 36.861 ns 126,714 41,203 
Hemiola3 40 ns 37.608 ns 240,034 61,011 


Fig. 9. Evaluation and synthesis of Hemiola protocols 


Optimization and verification of the cache-controller design are nontrivial; 
the pipeline requires correct stall logic, which is as sophisticated as the logic in 
pipelined processors. While the verification of the pipeline is one of our future- 
work directions, we see it as orthogonal to the verification of cache-coherence 
protocols, our focus with Hemiola. 
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7 Related Work 


Model Checking. Model checking has long been widely used to verify cache- 
coherence protocols. Various model checkers like Murphi [12], SMV [20], and 
TLA-+ [13,14] have been used. 

In order to overcome the usual state-space-explosion problem, model checkers 
have developed noninterference lemmas to deal with the state-space explosion by 
interleavings [11,18]. In order to obtain effective lemmas, a number of approaches 
used descriptions in terms of transactions (called “message flows”) [24,31,32]. 
Instead of looking at each transaction, Hemiola provides serializability that guar- 
antees noninterference among any transactions defined on top of the framework. 

In order to verify cache-coherence protocols with arbitrary numbers of cores 
(but no hierarchy), parameterization has been used in designing and model- 
checking the protocols [2,35,36]. Since Hemiola is built on Coq, we can take full 
advantage of parameterization, and indeed the framework supports verification 
of cache-coherence protocols with an arbitrary tree shape as a parameter. 

In order to increase scalability further, recent approaches used modularity 
in protocol design and successfully verified hierarchical cache-coherence proto- 
cols [7,8,16,17]. The enforced modularity, however, made it hard to design and 
verify noninclusive protocols. [7,8] tried to solve this problem using assume- 
guarantee reasoning and history variables, while still maintaining the concept of 
compositional verification, but faced state-space explosion again, and thus they 
just verified a two-level MSI protocol with three L2 caches. [16,17] have devel- 
oped the Neo theory as a safe way to compose “subtrees” of caches to have a 
hierarchical protocol. They argued it is possible to verify noninclusive protocols 
in the Neo framework when a directory is still inclusive but did not provide 
the actual design and proof. We provided the proofs of hierarchical noninclusive 
cache-coherence protocols in Hemiola, without any such restrictions. 

Another notable success of cache-coherence verification employed program 
synthesis to generate a protocol for a given atomic specification [25,26]. The Pro- 
toGen/HieraGen synthesizer can generate various hierarchical protocols includ- 
ing 3-hop protocols and even unconventional protocols like TSO-CC but does 
not support noninclusive protocols as well. Furthermore, they used Murphi to 
verify synthesized protocols, but in ProtoGen [26] they only succeeded up to 
three caches without exhausting memory, and in HieraGen [25] they succeeded 
only with the root, two cache-H, and two cache-L nodes. Since Hemiola supports 
noninclusive protocols but not 3-hop ones, we see protocol-design-space cover- 
age between Hemiola and ProtoGen/HieraGen as incomparable. That said, in 
terms of verification, Hemiola provides a much higher level of formal assurance 
by allowing verification of protocols with arbitrary tree topologies. 


Theorem Proving. Theorem proving also has been used to verify cache-coherence 
protocols. A number of works proved correctness of specific protocols [22,29]. A 
recent success was a proof of a hierarchical MSI protocol with an arbitrary 
tree topology using Coq [34], but it was not structured to promote streamlined 
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reuse of results for other protocols. It also included rather complex and ad-hoc 
invariants that needed to characterize transient states. 

Another notable project designed a modular-specification approach for cache 
coherence, verifying each cache against the spec while generating/proving invari- 
ants automatically, using the Ivy verification tool [19,21,27]. While in Hemiola 
a user should state and prove invariants manually, the framework provides seri- 
alizability as a large essential invariant that can be reused by various protocols, 
and then invariants become easier to prove on top of it. 


8 Conclusion 


We have developed a framework called Hemiola for simplified design and for- 
mal proof of cache-coherence protocols. The template-based DSL ensures that 
the only protocols that can be expressed are those that admit a form of per- 
memory-access serializability. On top of the framework, we proved the correct- 
ness of hierarchical MSI and MESI protocols as case studies, demonstrating 
that Hemiola indeed eases proof burden. We also built a protocol compiler and 
demonstrated these protocol implementations running on FPGAs. 
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Abstract. Reinforcement learning has been shown to be an effective 
strategy for automatically training policies for challenging control prob- 
lems. Focusing on non-cooperative multi-agent systems, we propose a 
novel reinforcement learning framework for training joint policies that 
form a Nash equilibrium. In our approach, rather than providing low- 
level reward functions, the user provides high-level specifications that 
encode the objective of each agent. Then, guided by the structure of the 
specifications, our algorithm searches over policies to identify one that 
provably forms an «-Nash equilibrium (with high probability). Impor- 
tantly, it prioritizes policies in a way that maximizes social welfare across 
all agents. Our empirical evaluation demonstrates that our algorithm 
computes equilibrium policies with high social welfare, whereas state-of- 
the-art baselines either fail to compute Nash equilibria or compute ones 
with comparatively lower social welfare. 


1 Introduction 


Reinforcement learning (RL) is an effective strategy for automatically synthesiz- 
ing controllers for challenging control problems. As a consequence, there has been 
interest in applying RL to multi-agent systems. For example, RL has been used 
to coordinate agents in cooperative systems to accomplish a shared goal [22]. 
Our focus is on non-cooperative systems, where the agents are trying to achieve 
their own goals [17]; for such systems, the goal is typically to learn a policy for 
each agent such that the joint strategy forms a Nash equilibrium. 

A key challenge facing existing approaches is how tasks are specified. First, 
they typically require that the task for each agent is specified as a reward func- 
tion. However, reward functions tend to be very low-level, making them difficult 
to manually design; furthermore, they often obfuscate high-level structure in the 
problem known to make RL more efficient in the single-agent [14] and coopera- 
tive [22] settings. Second, they typically focus on computing an arbitrary Nash 
equilibrium. However, in many settings, the user is a social planner trying to 
optimize the overall social welfare of the system, and most existing approaches 
are not designed to optimize social welfare. 

We propose a novel multi-agent RL framework for learning policies from 
high-level specifications (one specification per agent) such that the resulting 
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joint policy (i) has high social welfare, and (ii) is an «Nash equilibrium (for 
a given €). We formulate this problem as a constrained optimization problem 
where the goal is to maximize social welfare under the constraint that the joint 
policy is an e-Nash equilibrium. 

Our algorithm for solving this optimization problem uses an enumerative 
search strategy. First, it enumerates candidate policies in decreasing order of 
social welfare. To ensure a tractable search space, it restricts to policies that 
conform to the structure of the user-provided specification. Then, for each can- 
didate policy, it uses an explore-then-exploit self-play RL algorithm [4] to com- 
pute punishment strategies that are triggered when some agent deviates from the 
original joint policy. It also computes the maximum benefit each agent derives 
from deviating, which can be used to determine whether the joint policy aug- 
mented with punishment strategies forms an e-Nash equilibrium; if so, it returns 
the joint policy. 

Intuitively, the enumerative search tries to optimize social welfare, whereas 
the self-play RL algorithm checks whether the e-Nash equilibrium constraint 
holds. Since this RL algorithm comes with PAC (Probably Approximately Cor- 
rect) guarantees, our algorithm is guaranteed to return an e-Nash equilibrium 
with high probability. In summary, our contributions are as follows. 


— We study the problem of maximizing social welfare under the constraint that 
the policies form an e-NE. To the best of our knowledge, this problem has not 
been studied before in the context of learning (beyond single-step games). 

— We provide an enumerate-and-verify framework for solving the said problem. 

— We propose a verification algorithm with a probabilistic soundness guarantee 
in the RL setting of probabilistic systems with unknown transition probabil- 
ities. 


Motivating Example. Consider the road intersection scenario in Fig. 1. There are 
four cars; three are traveling east to west and one is traveling north to south. At 
any stage, each car can either move forward one step or stay in place. Suppose 
each car’s specification is as follows: 
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Black car: Cross the intersection before the green and orange cars. 

— Blue car: Cross the intersection before the black car and stay a car length 
ahead of the green and orange cars. 

— Green car: Cross the intersection before the black car. 

— Orange car: Cross the intersection before the black car. 


We also require that the cars do not crash into one another. 

Clearly, not all agents can achieve their goals. The next highest social welfare 
is for three agents to achieve their goals. In particular, one possibility is that 
all cars except the black car achieve their goals. However, the corresponding 
joint policy requires that the black car does not move, which is not a Nash 
equilibrium—there is always a gap between the blue car and the other two cars 
behind, so the black car can deviate by inserting itself into the gap to achieve its 
own goal. Our algorithm uses self-play RL to optimize the policy for the black 
car, and finds that the other agents cannot prevent the black car from improving 
its outcome in this way. Thus, it correctly rejects this joint policy. Eventually, 
our algorithm computes a Nash equilibrium in which the black and blue cars 
achieve their goals. 


1.1 Related Work 


Multi-agent RL. There has been work on learning Nash equilibria in the multi- 
agent RL setting [1,12,13,21, 23,24]; however, these approaches focus on learning 
an arbitrary equilibrium and do not optimize social welfare. There has also been 
work on studying weaker notions of equilibria in this context [9,27], as well as 
work on learning Nash equilibria in two agent zero-sum games [4, 20,26]. 


RL from High-Level Specifications. There has been recent work on using spec- 
ifications based on temporal logic for specifying RL tasks in the single agent 
setting; a comprehensive survey may be found in [2]. There has also been recent 
work on using temporal logic specifications for multi-agent RL [10,22], but these 
approaches focus on cooperative scenarios in which there is a common objective 
that all agents are trying to achieve. 


Equilibrium in Markov Games. There has been work on computing Nash equi- 
librium in Markov games [17,25], including work on computing e-Nash equilibria 
from logical specifications [6,7], as well as recent work focusing on computing 
welfare-optimizing Nash equilibria from temporal specifications [18, 19]; however, 
all these works focus on the planning setting where the transition probabilities 
are known. Checking for existence of Nash equilibrium, even in deterministic 
games, has been shown to be NP-complete for reachability objectives [5]. 


Social Welfare. There has been work on computing welfare maximizing Nash 
equilibria for bimatrix games, which are two-player one-step Markov games with 
known transitions [8,11]; in contrast, we study this problem in the context of 
general Markov games. 
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2 Preliminaries 


2.1 Markov Game 


We consider an n-agent Markov game M = (S, A, P, H, sọ) with a finite set of 
states S, actions A= A; x --- X An where A; is a finite set of actions available 
to agent i, transition probabilities P(s’ | s,a) for s,s’ € S and a € A, finite 
horizon H, and initial state so [20]. A trajectory Ç € Z = (S x A)* x S isa finite 
sequence C = so “% sı “4 --. “4, s, where sp € S, ap € A; we use |C| = t to 
denote the length of the trajectory ¢ and aj, € A; to denote the action of agent 
i in ak. 

For any i € [n], let D(A;) denote the set of distributions over A;—i.e., 
D(Ai) = {4 : Ai > [0,1] | XYarca; Alai) = 1}. A policy for agent i is a 
function 7; : Z — D(A;) mapping trajectories to distributions over actions. A 
policy m; is deterministic if for every ¢ € Z, there is an action a; € A; such that 
mi(C)(a;) = 1; in this case, we also use 7;(¢) to denote the action a;. A joint 
policy 7: Z — D(A) maps finite trajectories to distributions over joint actions. 
We use (77,...,7n) to denote the joint policy in which agent i chooses its action 
in accordance to 7;. We denote by D, the distribution over H-length trajectories 
in M induced by r. 

We consider the reinforcement learning setting in which we do not know the 
probabilities P but instead only have access to a simulator of M. Typically, we 
can only sample trajectories of M starting at so. Some parts of our algorithm are 
based on an assumption which allows us to obtain sample trajectories starting 
at any state that has been observed before. For example, if taking action ag in 
So leads to a state s1, we assume we can obtain future samples starting at s1. 


Assumption 1. We can obtain samples from P(- | s,a) for any previously 
observed state s and any action a. 


2.2 Specification Language 


We consider the specification language SPECTRL to express agent specifications. 
We choose SPECTRL since there is existing work on leveraging the structure 
of SPECTRL specifications for single-agent RL [16]. However, we believe our 
algorithm can be adapted to other specification languages as well. 

Formally, a SPECTRL specification is defined over a set of atomic predi- 
cates Po, where every p € Po is associated with a function [p] : S —> B = 
{true, false}; we say a state s satisfies p (denoted s = p) if and only if 
[p](s) = true. The set of predicates P consists of conjunctions and disjunctions 
of atomic predicates. The syntax of a predicate b € P is given by the grammar 
b ::= p| (by A b2) | (b1 V b2), where p € Po. Similar to atomic predicates, each 
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predicate b € P corresponds to a function [b] : S — B defined naturally over 
Boolean logic. Finally, the syntax of SPECTRL is given by! 


@ ::= achieve b | ¢, ensuring b | 61; $2 | %1 or do, 


where b € P. Each specification @ corresponds to a function [¢] : Z — B, and 
we say Ç € Z satisfies ¢ (denoted Ç — @) if and only if [¢](¢) = true. Letting ¢ 
be a finite trajectory of length t, this function is defined by 


¢ = achieve b ifti<t, si Eb 

C FE ¢ ensuring b if H= dandVi<t, 53 Hb 

Ç E $13 G2 ifdi<t, Coi Fo: and Gipit F $2 
Ç = $1 or ġ2 if ¢ = ¢ġı or Ç F ¢2. 


Intuitively, the first clause means that the trajectory should eventually reach a 
state that satisfies the predicate b. The second clause says that the trajectory 
should satisfy specification ¢ while always staying in states that satisfy b. The 
third clause says that the trajectory should sequentially satisfy 6; followed by 
2. The fourth clause means that the trajectory should satisfy either ¢) or ¢2. 


2.3 Abstract Graphs 


SPECTRL specifications can be represented by abstract graphs which are DAG- 
like structures in which each vertex represents a set of states (called subgoal 
regions) and each edge represents a set of concrete trajectories that can be used 
to transition from the source vertex to the target vertex without violating safety 
constraints. 


Definition 1. An abstract graph G = (U, E, uo, F, B, Zsafe) is a directed acyclic 
graph (DAG) with vertices U, (directed) edges Æ C U x U, initial vertex uo € U, 
final vertices F C U, subgoal region map 3: U — 2° such that for each u € U, 
B(u) is a subgoal region,” and safe trajectories Zsate = Uee p Zoate UU fer Zl i 
where Z£ fe C Z denotes the safe trajectories for edge e € E and Zf C Z 
denotes the safe trajectories for final vertex f € F. 


Intuitively, (U, E) is a standard DAG, and ug and F define a graph reachability 
problem for (U, E). Furthermore, 3 and Zsafe connect (U, E) back to the original 
MDP M; in particular, for an edge e = u — wu’, Z$ {e is the set of safe trajectories 


in M that can be used to transition from (u) to B(u’). 


ao ay at— 


Definition 2. A trajectory C = so —> sı donee *, 5, in M satisfies the 
abstract graph G (denoted ¢ - G) if there is a sequence of indices 0 = kp < kı < 
--+ < ke < t anda path p= uo > uy > +- — ug in G such that 


1 Here, achieve and ensuring correspond to the “eventually” and “always” operators 
in temporal logic. 

? We do not require that the subgoal regions partition the state space or that they be 
non-overlapping. 
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= ue EF, 
— for all z € {0,..., 2}, we have sz, E€ G(uz), 


— for all z < £, letting e; = u; — Uz41, we have Çk :%,4, E Zsto and 
ai Cke:t E Zt 


The first two conditions state that the trajectory should visit a sequence of 
subgoal regions corresponding to a path from the initial vertex to some final 
vertex, and the last two conditions state that the trajectory should be composed 
of subtrajectories that are safe according to Zsafe- 

Prior work shows that for every SPECTRL specification ġ, we can construct 
an abstract graph Gg such that for every trajectory Ç € Z, Ç |= @¢ if and only if 
C H Gg [16]. Finally, the number of states in the abstract graph is linear in the 
size of the specification. 


2.4 Nash Equilibrium and Social Welfare 


Given a Markov game M with unknown transitions and SPECTRL specifications 
?1,---,%n for the n agents respectively, the score of agent i from a joint policy 
m is given by 


Ji(r) = Pr [CF gi]. 


Our goal is to compute a high-value e-Nash equilibrium in M w.r.t these 
scores. Given a joint policy 7 = (m,...,7) and an alternate policy m; for 
agent i, let (a_;,7/) denote the joint policy (m,...,7),..., 7m). Then, a joint 
policy m is an e-Nash equilibrium if for all agents i and all alternate policies 74, 
Jilt) > Ji((t_1,7)) —. Our goal is to compute a joint policy 7 that maximizes 
the social welfare given by 


1 
welfare(7) = z 2, Jilm) 
subject to the constraint that m is an e-Nash equilibrium. 


3 Overview 


Our framework for computing a high-welfare e-Nash equilibrium consists of two 
phases. The first phase is a prioritized enumeration procedure that learns deter- 
ministic joint policies in the environment and ranks them in decreasing order 
of social welfare. The second phase is a verification phase that checks whether 
a given joint policy can be extended to an e-Nash equilibrium by adding pun- 
ishment strategies. A policy is returned if it passes the verification check in the 
second phase. Algorithm 1 summarizes our framework. 

For the enumeration phase, it is impractical to enumerate all joint policies 
even for small environments, since the total number of deterministic joint policies 
is Q(|AJSI"), which is Q(2"!SI"™) if each agent has atleast two actions. Thus, 
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Algorithm 1 HIGHNASHSEARCH 
Inputs: Markov game (with unknown transition probabilities) M with n-agents, 


agent specifications ¢1,...,¢n, Nash factor €, precision 6, failure probability p. 
Outputs: e-NE, if found. 
1: PrioritizedPolicies — PRIORITIZEDENUMERATION(M, ¢1,...,¢n) 


2: for joint policy m € PrioritizedPolicies do 

3 // Can m be extended to an e-NE? 

4: isNash,t — VERIFYNASH(M, 7, 61,--- , @n, €, ô, p) 

5 if isNash then return 7 m 7 // Add punishment strategies 
6: return No e-NE found 


in the prioritized enumeration phase, we apply a specification-guided heuristic 
to reduce the number of joint policies considered. The resulting search space is 
independent of |S| and H, depending only on the specifications {¢;}icjn]: Since 
the transition probabilities are unknown, these joint policies are trained using 
an efficient compositional RL approach. 

Since the joint policies are trained cooperatively, they are typically not e-Nash 
equilibria. Hence, in the verification phase, we use a probably approximately 
correct (PAC) procedure (Algorithm 2) to determine whether a given joint policy 
can be modified by adding punishment strategies to form an e-Nash equilibrium. 
Our approach is to reduce this problem to solving two-agent zero-sum games. 
The key insight is that for a given joint policy to be an e-Nash equilibrium, 
unilateral deviations by any agent must be successfully punished by the coalition 
of all other agents. In such a punishment game, the deviating agent attempts 
to maximize its score while the coalition of other agents attempts to minimize 
its score, leading to a competitive min-max game between the agent and the 
coalition. If the deviating agent can improve its score by a margin > e, then the 
joint policy cannot be extended to an e-Nash equilibrium. Alternatively, if no 
agent can increase its score by a margin > €, then the joint policy (augmented 
with punishment strategies) is an e-Nash equilibrium. Thus, checking if a joint 
policy can be converted to an e-Nash equilibrium reduces to solving a two- 
agent zero-sum game for each agent. Each punishment game is solved using 
a self-play RL algorithm for learning policies in min-max games with unknown 
transitions [4], after converting specification-based scores to reward-based scores. 
While the initial joint policy is deterministic, the punishment strategies can be 
probabilistic. 

Overall, we provide the guarantee that with high probability, if our algorithm 
returns a joint policy, it will be an e-Nash equilibrium. 


4 Prioritized Enumeration 


We summarize our specification-guided compositional RL algorithm for learn- 
ing a finite number of deterministic joint policies in an unknown environment 
under Assumption 1. These policies are then ranked in decreasing order of their 
(estimated) social welfare. 
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Fig. 3. Abstract Graph of blue car. Fig. 4. Product Abstract Graph of black 


and blue cars. Z”? and Z”? refer to safe 
trajectories after the black and blue cars 
have reached their final states, respectively. 


Our learning algorithm harnesses the structure of specifications, exposed by 
their abstract graphs, to curb the number of joint policies to learn. For every 
set of active agents B C [n], we construct a product abstract graph, from the 
abstract graphs of all active agents’ specifications. A property of this product 
is that if a trajectory ¢ in M corresponds to a path in the product that ends 
in a final state then ¢ satisfies the specification of all active agents. Then, our 
procedure learns one joint policy for every path in the product graph that reaches 
a final state. Intuitively, policies learned using the product graph corresponding 
to a set of active agents B aim to maximize satisfaction probabilities of all 
agents in B. By learning joint policies for every set of active agents, we are able 
to learn policies under which some agents may not satisfy their specifications. 
This enables learning joint policies in non-cooperative settings. Note that the 
number of paths (and hence the number of policies considered) is independent 
of |S| and H, and depends only on the number of agents and their specifications. 

One caveat is that the number of paths may be exponential in the number 
of states in the product graph. It would be impractical to naively learn a joint 
policy for every path. Instead, we design an efficient compositional RL algorithm 
that learns a joint policy for each edge in the product graph; these edge policies 
are then composed together to obtain joint policies for paths in the product 
graph. 


4.1 Product Abstract Graph 


Let @1,...,¢n be the specifications for the n-agents, respectively, and let 
Gi = (Ui, Ei, ub, Fi, Bi, Zsate,i) be the abstract graph of specification ¢; in the 
environment M. We construct a product abstract graph for every set of active 
agents in [n]. The product graph for a set of active agents B C [n] is used to 
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learn joint policies which satisfy the specification of all agents in B with high 
probability. 


Definition 3. Given a set of agents B = {i1,...,im} C [n], the product graph 


Gg =(U,E, U0, F, B, Zsate) is the asynchronous poii of Gi for alli € B, with 


- U = [[;cg Ui is the set of product De 

— An edge e = (uj,,...,Ui,,) > (Vi,,---5Vi,,) € E if at least for one agenti € B 
the edge ui > vi € T and for the an agents, ui = Vi, 

— To = (ug, .--, Ug”) is the initial vertex, 

- F= ae is the set of final vertices, 

—~ B=(6i,,---,i,,) is the collection of concretization maps, and 


— ZB safe = (Zsate,iz,+--, Zsafe,i,,) is the collection of safe trajectories. 


We denote the i-th component of a product vertex @ € U by u; for agent 
i € B. Similarly, the i-th component in an edge e = % — JT is denoted by 
ei = u;i — vu; for i € B; note that e; can be a self loop which is not an edge in 
Gi. For an edge e € E, we denote the set of agents i € B for which e; € Ej, and 
not a self loop, by progress(e). 

Abstract graphs of the black car and the blue car from the motivating exam- 
ple are shown in Figs. 2 and 3 respectively. The vertex vı denotes the subgoal 
region black(v1) consisting of states in which the black car has crossed the inter- 
section but the orange and green cars have not. The subgoal region Gpiue(v2) is 
the set of states in which the blue car has crossed the intersection but the black 
car has not. Z denotes trajectories in which the black car does not collide and 
Zə denotes trajectories in which the blue car does not collide and stays a car 
length ahead of the orange and green cars. The product abstract graph for the 
set of active agents B = {black, blue} is shown in Fig 4. The safe trajectories on 
the edges reflect the notion of achieving a product edge which we discuss below. 

A trajectory C = so “% sı “+... Æ s, achieves an edge e = U —> T 
in Gp if all progressing agents i € deel ) reach their target subgoal region 
Bilvi) along the trajectory and the trajectory is safe for all agents in B. For 
a progressing agent i € progress(e), the initial segment of the rollout until the 
agent reaches its subgoal region should be safe with respect to the edge e;. After 
that, the rollout should be safe with respect to every future possibility for the 
agent. This is required to ensure continuity of the rollout into adjacent edges in 
the product graph Gg. For the same reason, we require that the entire rollout 
is safe with respect to all future possibilities for non-progressing agents. Note 
that we are not concerned with non-active agents in [n]\B. In order to formally 
define this notion, we need to setup some notation. 

For a predicate b € P, let the set of safe trajectories w.r.t. b be given by 
Zy = {C = so Bs, SS... s E Z|YO0< k< t, sp H b}. It is known 
that safe trajectories along an edge in an abstract graph constructed from a 
SPECTRL specification is either of the form Zp or Zb, 0 Zp,, where b, bi, ar EP 
and o denotes concatenation [16]. In addition, for every final vertex f, Z 
of the form Z, for some b € P. We define First as follows: 


an is 
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Z, #2 =B, 


First(Z’) = 
ENES if 2’ = Zo Z, 


We are now ready to define the notion of satisfiability of a product edge. 


Definition 4. A rollout C = so £> sı “+ --- “4 sp achieves an edge e = 


u — vin Gp (denoted ¢ Ez e) if 


1. for all progressing agents i € progress(e), there exists an index k; < k such 


that sz, € Bi(vi) and Co:k; € Zito." If v; € F; then Ck::k € Zift Otherwise, 
Ckik E First(Zgi; ) for all w; € outgoing(v;). Furthermore, we require k; > 0 


if u; Æ us. 
2. for all non-progressing agents 7 € B\progress(e), if u; ¢ Fi, ¢ € First(Z2,.;°") 
for all w; € outgoing(u;). Otherwise (if u; € Fi), ¢ € Z% 


safe,i 


We can now define what it means for a trajectory to achieve a path in the 
product graph Gp. 


Definition 5. Given B C [n], a rollout ¢ = sọ > --- > s, achieves a path 
p =U > -++ > U in Gg (denoted ¢ Fg p) if there exists indices 0 = ko < 
ky < +++ < ke < t such that (i) Te € F, (ii) Ce. :k.4, achieves U, > Uz41 for all 
O<z< Z, and (iii) Cht € Zg; for alli € B. 


safe,i 


Theorem 2. Let p = Wo > Tı > -::: — W be a path in the product abstract 
graph Gg for BC |n]. Suppose trajectory ¢ Fe p. Then = 6; for alli € B. 


That is, joint policies that maximize the probability of achieving paths in the 
product abstract graph Gg have high social welfare w.r.t. the active agents B. 


4.2 Compositional RL Algorithm 


Our compositional RL algorithm learns joint policies corresponding to paths in 
product abstract graphs. For every B C [n], it learns a joint policy me for each 
edge in the product abstract graph Gg, which is the (deterministic) policy that 
maximizes the probability of achieving e from a given initial state distribution. 
We assume all agents are acting cooperatively; thus, we treat the agents as 
one and use single-agent RL to learn each edge policy. We will check whether 
any deviation to this co-operative behaviour by any agent can be punished by 
the coalition of other agents in the verification phase. The reward function is 
designed to capture the reachability objective of progressing agents and the 
safety objective of all active agents. 

The edges are learned in topological order, allowing us to learn an induced 
state distribution for each product vertex @ prior to learning any edge policies 
from U; this distribution is used as the initial state distribution when learning 
outgoing edge policies from Ñ. In more detail, the distribution for the initial 
vertex of Gg is taken to be the initial state distribution of the environment; 
for every other product vertex, the distribution is the average over distributions 
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Fig. 5. 7; augmented with punishment strategies. 


induced by executing edge policies for all incoming edges. This is possible because 
the product graph is a DAG. 

Given edge policies IT along with a path p = % > 4% > > Um =u €E F 
in Gg, we define a path policy T, to navigate from Uo to ū. In particular, mp 
executes 7 [2], where e[z] = U, — Uz41 (starting from z = 0) until the resulting 
trajectory achieves e[z], after which it increments z — z+ 1 (unless z = 4%). 
That is, 7, is designed to achieve the sequence of edges in p. Note that m, is a 
finite-state deterministic joint policy in which vertices on the path correspond 
to the memory states that keep track of the index of the current policy. This 
way, we obtain finite-state joint policies by learning edge policies only. 

This process is repeated for all sets of active agents B C [n]. These finite- 
state joint policies are then ranked by estimating their social welfare on several 
simulations. 


5 Nash Equilibria Verification 


The prioritized enumearation phase produces a list of path policies which are 
ranked by the total sum of scores. Each path policy is deterministic and also 
finite state. Since the joint policies are trained cooperatively, they are typically 
not e-Nash equilibria. Thus, our verification algorithm not only tries to prove 
that a given joint policy is a «Nash equilibrium, but also tries to modify it 
so it satisfies this property. In particular, our verification algorithm attempts to 
modify a given joint policy by adding punishment strategies so that the resulting 
policy is an e-Nash equilibrium. 

Concretely, it takes as input a finite-state deterministic joint policy 7 = 
(M,a,o,mo) where M is a finite set of memory states,a:S x Ax M — M is 
the memory update function, 0: S x M — A maps states to (joint) actions and 
mg is the initial policy state. The extended memory update function â : Z— 
M is given by â(€) = mo and â(Çsrat) = a(sz,az,4(¢)). Then, m is given by 
m(Cs,) = o(8;,4(C)). The policy m; of agent i simply chooses the it? component 
of 7(¢) for any history ¢. 
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The verification algorithm learns one punishment strategy Tij : Z — D(Aj) 
for each pair (i, j) of agents. As outlined in Fig. 5, the modified policy for agent 
i uses 7; if every agent j has taken actions according to 7; in the past. In case 
some agent j’ has taken an action that does not match the output of mj, then 
agent 7 uses the punishment strategy Tij, where j is the agent that deviated the 
earliest (ties broken arbitrarily). The goal of verification is to check if there is a 
set of punishment strategies {7;; | i Æ j} such that after modifying each agent’s 
policy to use them, the resulting joint policy is an e-Nash equilibrium. 


5.1 Problem Formulation 


We denote the set of all punishment strategies of agent i by 7 = {Tij | j F i} 
We define the composition of m; and 7; to be the policy 7; = m; ™ 7; such that 
for any trajectory C = so => --- 5 s4, we have 


— Til) = 7;i(C) if for all 0 < k < t, ak = 7(Co-%)—i-e., no agent has deviated so 
far, 

— 7:(C) = Tij(Å) if there is a k such that (i) a, 4 7;(Ço:x) and (ii) for all £ < k, 
ag = 7(Co:e). If there are multiple such j’s, an arbitrary but consistent choice 
is made (e.g., the smallest such J). 


Given a finite-state deterministic joint policy 7, the verification problem is to 
check if there exists a set of punishment strategies T = |J; 7 such that the joint 
policy T = m M T = (T1 M 71,.--,7n X Tn) is an e-Nash equilibrium. In other 
words, the problem is to check if there exists a policy 7; for each agent i such 
that (i) 7; follows m; as long as no other agent j deviates from 7; and (ii) the 
joint policy 7 = (7,...,7) is an e-Nash equilibrium. 


5.2 High-Level Procedure 


Our approach is to compute the best set of punishment strategies T* w.r.t. 7 
and check if 7 ™ 7* is an e Nash equilibrium. The best punishment strategy 
against agent j is the one that minimizes its incentive to deviate. To be precise, 
we define the best response of j with respect to a joint policy m’ = (7},...,7%,) to 
be br;(7’) € arg max,” J;(7_;, 77). Then, the best set of punishment strategies 
T* w.r.t. m is one that minimizes the value of br;(7 ™ 7) for all j € [n]. To be 
precise, define T[j] = {7;; | i # j} to be the set of punishment strategies against 
agent j. Then, we want to compute 7* such that for all j, 


T* € arg min Jj((m x 7)_;, br; (a ™ 7)). (1) 


We observe that for any two sets of punishment strategies 7, 7’ with r[j] = r'[j] 
and any policy m}, we have Jj((m ™ T)-j,7;) = Jj((m ™ 7’)_;,7%). This is 
because, for any 7, punishment strategies in 7\r[j] do not affect the behaviour 
of the joint policy ((7 ™ 7)_;,7;), since no agent other than agent j will deviate 


from r. Hence, brj(m ™ T) as well as J;((a ™ 7)_,;, br;(a ™ T)) are independent 
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of T \ r[j]; therefore, we can separately compute 7*[j] (satisfying Eq. 1) for each 
j and take T* = |J; 7* [j]. The following theorem follows from the definition of 
Te 

Theorem 3. Given a finite-state deterministic joint policy n = (T1,..., Tnn), if 
there is a set of punishment strategies T such that m m T is an €-Nash equilibrium, 
then mn x T* is an €-Nash equilibrium, where T* is the set of best punishment 
strategies w.r.t. n. Furthermore, 7 x T* is an €-Nash equilibrium iff for all j, 


Jil (m x 7*)_3, br; (am m 7*)) —€ < Jj(m m 7*) = Jj (zm). 


Thus, to solve the verification problem, it suffices to compute (or estimate), for 
all 7, the optimal deviation scores 


T 


dev; 


a er M T)_5, 7%). (2) 
vi T, 


5.3 Reduction to Min-Max Games 


Next, we describe how to reduce the computation of optimal deviation scores 
to a standard self-play RL setting. We first translate the problem from the 
specification setting to a reward-based setting using reward machines. 


Reward Machines. A reward machine (RM) [14] is a tuple R = (Q, du, ôr, qo) 
where Q is a finite set of states, 6, : S x Ax Q — Q is the state transition 
function, 6, : S x Q —> [-1,1] is the reward function and qo is the initial RM 


state. Given a trajectory ¢ = sp “% ... kee S+, the reward assigned by R 
to Ç is R(¢) = — Ôr(Sk, qk), Where qk+1 = ÔulSk, ak, qp) for all k. For any 


SPECTRL specification ¢, we can construct an RM such that the reward assigned 
to a trajectory Ç indicates whether ¢ satisfies ¢. 


Theorem 4. Given any SPECTRL specification ġ, we can construct an RM Rọ 
such that for any trajectory ¢ of lengtht+1, Re(¢) =1(Cox = 9). 


For an agent j, let Rj denote Ry, = (Q;, 64,62, q,). Letting D, be the distri- 
bution over length H+1 trajectories induced by using 7, we have E-5 [Rj(¢)] = 
J; (7). The deviation values defined in Eq. 2 are now min-max values of expected 
reward, except that it is not in a standard min-max setting since the policy of 
every non-deviating agent i Æ j is constrained to be of the form 7; ™ ri. This 
issue can be handled by considering a product of M with the reward machine 
R, and the finite-state joint policy 7. The following theorem follows naturally. 


Theorem 5. Given a finite-state deterministic joint policy n = (M,a, o,mo), 
for any agent j, we can construct a simulator for an augmented two-player zero- 
sum Markov game M7 (with rewards) which has the following properties. 


- The number of states in MF is at most 2|S||M||Q;l. 
— The actions of player 1 is Aj, and the actions of player 2 is A_; = liz; Ai. 
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Algorithm 2 VERIFYNASH 
Inputs: Finite-state deterministic joint policy 7, specifications @; for all j, Nash 
factor €, precision 6, failure probability p. 

Outputs: True or False along with a set of punishment strategies T. 

1: existsNE — True 

27-90 

3: M — BFS-EsTIMATE(M, ô, p) // Only run if M has not been estimated before. 
4: for agent j € {1,...,n} do 
Rj = ConsTRUCTRM(¢;) 


M; — CONSTRUCTGAME(M, j, Rj T) 


dev; — minz, maxz, J“ i (T1, T2) 


T3 <— arg minz, MaXzı TMi (71, T2) 

existsNE — existsNE A (dev; < J;(7) +€— ô) 
T — T U PUNSTRAT(713) 

: return existsNE, T 


BS O o IS Ory 


— The min-maz value of the two player game corresponds to the deviation cost 
of j, ie., 


dev; = min max J7 (71, 72), 
T2 Ti 
where JF (71, 72) = iPS a  Rj(Sk,4%) | 71,72] is the expected sum of 


rewards w.r.t. the distribution over (H + 1)-length trajectories generated by 
using the joint policy (7,72) in M7. 

— Given any policy T2 for player 2 in M7 , we can construct a set of punishment 
strategies T|j] = PUNSTRAT(72) againat agent j in M such that 


max JF (F1, 72) = max Jj((m w Tgl), 7). 


Given an estimate M of M, we can also construct an estimate MẸ of M7. 


We omit the superscript 7 from M7 when there is no ambiguity. We denote by 
CoNnsTRUCTGAME(M, j, Rj, T) the product construction procedure that con- 
structs and returns Mj. 


5.4 Solving Min-Max Games 


The min-max game M, can be solved using self-play RL algorithms. Many of 
these algorithms provide probabilistic approximation guarantees for computing 
the min-max value of the game. We use a model-based algorithm, similar to the 
one proposed in [4], that first estimates the model M; and then solves the game 
in the estimated model. 

One approach is to use existing algorithms for reward-free exploration to esti- 
mate the model [15], but this approach requires estimating each M; separately. 
Under Assumption 1, we provide a simpler and more sample-efficient algorithm, 
called BFS-ESTIMATE, for estimating M. BFS-ESTIMATE performs a search 
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over the transition graph of M by exploring previously seen states in a breadth 
first manner. When exploring a state s, multiple samples are collected by taking 
all possible actions in s several times and the corresponding transition probabil- 
ities are estimated. After obtaining an estimate of M, we can directly construct 
an estimate of M7 for any 7 and j when required. Letting |Q| = max; |Q;| and 
|| denote the size of the largest finite-state policy output by our enumeration 
algorithm, we get the following guarantee. 


Theorem 6. For any 6 > 0 and p € (0,1), BFS-EsTIMATE(M, 6, p) computes 
an estimate M of M using O (simt giant log (1814) ) sample steps such 


p 
that with probability at least 1 — p, for any finite-state deterministic joint policy 


T and any agent j, 
F 


min max JM (71,72) — dev < ô, 
T2 Ti 


where JMS (T1, T2) is the expected reward over length H+1 trajectories generated 
by (71,72) in M7. Furthermore, letting T3 € arg minz, maxz, JMi (71, 72) and 
Tj] = PUNSTRAT(73), we have 


max J (71,73) — max J;((m m r[j])—j,75)| < ð. (3) 


Ty 5 
The min-max value of M7 as well as 75 can be computed using value iteration. 
Our full verification algorithm is summarized in Algorithm 2. It checks if dev, < 
J;(7) + ¢—6 for all j, and returns True if so and False otherwise. It also 
simultaneously computes the punishment strategies 7 using the optimal policies 
for player 2 in the punishment games. Note that BFS-ESTIMATE is called only 
once (i.e., the first time VERIFYNASH is called) and the obtained estimate M 
is stored and used for verification of every candidate policy m. The following 
soundness guarantee follows from Theorem 6. 


Corollary 1 (Soundness). For any p € (0,1), € > 0 and 6 € (0,¢€), with 
probability at least 1 — p, if HIGHNASHSEARCH returns a joint policy 7 then 7 
is an €-Nash equilibrium. 


6 Complexity 


In this section, we analyze the time and sample complexity of our algorithm 
in terms of the number of agents n, size of the specification || = maX;ejn] |¢i\, 
number of states in the environment |S], number of joint actions |A|, time horizon 
H, precision 6 and the failure probability p. 


Sample Complexity. It is known [16] that the number of edges in the abstract 
graph G; corresponding to specification ¢; is O(|@,|?). Hence for any set of active 
agents B, the number of edges in the product abstract graph Gg is O(|¢|?!7!). 
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Hence total number of edge policies learned by our compositional RL algorithm 
is © gcin) OCCO = O((\¢|?+1)”). We learn each edge using a fixed number 
of sample steps C, which is a hyperparameter. 

The number of samples used in the verification phase is the same as the num- 
ber used by BFS-ESTIMATE. The maximum size of a candidate policy output 
by the enumeration algorithm |M] is at most the length of the longest path in 
a product abstract graph. Since the maximum path length in a single abstract 
graph G; is bounded by |¢;| and at least one agent must progress along every edge 
in a product graph, the maximum length of a path in any product graph is at 
most n|¢|. Also, the number of states in the reward machine R; corresponding to 
|¢;| is O(2'7!). Hence, from Theorem 6 we get that the total number of sample 


steps used by our algorithm is O((|¢|? + 1)"C 4 cle cal EAR log (S4!)). 


Time Complexity. As with sample complexity, the time required to learn all 
edge policies is O((|¢|? + 1)"(C + |A|)) where the term |A| is added to account 
for the time taken to select an action from A during exploration (we use Q- 
learning with e-greedy exploration for learning edge policies). Similarly, time 
taken for constructing the reward machines and running BFS-ESTIMATE is 
o@ sie ia log (Sl4l)). 

The total number of path policies considered for a given set of active agents 
B is bounded by the number of paths in the product abstract graph Gp that 
terminate in a final product state. First, let us consider paths in which exactly 
one agent progresses in each edge. The number of such paths is bounded by 
(|B\|@|)!¥!I%! since the length of such paths is bounded by |B||¢| and there are 
at most |B||¢| choices at each step—i.e., progressing agent 7 and next vertex of 
the abstract graph Gg,. Now, any path in Gg can be constructed by merging 
adjacent edges along such a path (in which at most one agent progresses at any 
step). The number of ways to merge edges along such a path is bounded by the 
number of groupings of edges along the path into at most |B||¢| groups which is 
bounded by (|B||¢|)!!!@!. Therefore, the total number of paths in Gz is at most 
221 F\l¢| log(nl$l)_ Finally, the total number of path policies considered is at most 
DTA 221Bllġllog(nlel) < ((n|p|)2!¢l + 1)” = O(22rI4¢l log2nl¢)). 

Now, for each path policy 7, the verification algorithm solves M7 using value 


iteration which takes O(|S||.A|Hf(|A|)) = O(2!¢!n|¢||S||A|H f(A|)) time, where 
f(|A|) is the time required to solve a linear program of size |A|. Also accounting 
for the time taken to sort the path policies, we arrive at a time complexity bound 
of 204l 108(7141)) poly(|S|, |A], H, Z, +). 

It is worth noting that the procedure halts as soon as our verification proce- 
dure successfully verifies a policy; this leads to early termination for cases where 
there is a high value e-Nash equilibrium (among the policies considered). Further- 
more, our verification algorithm runs in polynomial time and therefore one could 
potentially improve the overall time complexity by reducing the search space in 
the prioritized enumeration phase—e.g., by using domain specific insights. 
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7 Experiments 


We evaluate our algorithm on finite state environments and a variety of specifi- 
cations, aiming to answer the following: 


— Can our approach be used to learn e-Nash equilibria? 
— Can our approach learn policies with high social welfare? 


We compare our approach to two baselines described below, using two metrics: 
(i) the social welfare welfare(z) of the learned joint policy 7, and (ii) an estimate 
of the minimum value of e for which 7 forms an e-Nash equilibrium: 


€min(7) = max{J;(a_;, bri(a)) — Jlr) | i € [n]}. 


Here, Gmin(7) is computed using single agent RL (specifically, Q-learning) to 
compute br;(7) for each agent i. 


Environments and Specifications. We show results on the Intersection environ- 
ment illustrated in Fig. 1, which consists of k-cars (agents) at a 2-way intersection 
of which kı and kg cars are placed along the N-S and E-W axes, respectively. 
The state consists of the location of all cars where the location of a single car is 
a non-negative integer. 1 corresponds to the intersection, 0 corresponds to the 
location one step towards the south or west of the intersection (depending on 
the car) and locations greater than 1 are to the east or north of the intersection. 
Each agent has two actions. STAY stays at the current position. MOVE decreases 
the position value by 1 with probability 0.95 and stays with probability 0.05. 
We consider specifications similar to the ones in the motivating example. 


Baselines. We compare our NE computation method (HIGHNASHSEARCH) to 
two approaches for learning in non-cooperative games. The first, MAQRM, is 
an adaption of the reward machine based learning algorithm proposed in [22]. 
MAQRM was originally proposed for cooperative multi-agent RL where there is a 
single specification for all the agents. It proceeds by first decomposing the spec- 
ification into individual ones for all the agents and then runs a Q-learning-style 
algorithm (QRM) in parallel for all the agents. We use the second part of their 
algorithm directly since we are given a separate specification for each agent. 
The second baseline, NVI, is a model-based approach that first estimates transi- 
tion probabilities, and then computes a Nash equilibrium in the estimated game 
using value iteration for stochastic games [17]. To promote high social welfare, 
we select the highest value Nash solution for the matrix game at each stage of 
value iteration. Note that this greedy strategy may not maximize social welfare. 
Both MAQRM and NVI learn from rewards as opposed to specification; thus, we 
supply rewards in the form of reward machines constructed from the specifica- 
tions. NVI is guaranteed to return an e-Nash equilibrium with high probability, 
but MAQRM is not guaranteed to do so. 
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Table 1. Results for all specifications in Intersection Environment. Total of 10 runs 
per benchmark. Timeout = 24 h. 


Num. of Avg. num. of 


Num. of 1f min 

Spec. GUSI Algorithm weltarelt) Emin (7) terminated sample steps 

agents (avg + std) (avg + std) . ion 
runs (in millions) 
HIGHNASHSEARCH 0.33 + 0.00 0.00 + 0.00 0 1.78 
oe 3 NVI 0.32 + 0.00 0.00 + 0.00 0 1.92 
MAQRM 0.18 + 0.01 0.51 + 0.01 10 2.00 
HIGHNASHSEARCH 0.55 + 0.10 0.01 + 0.02 0 11.53 
¢ 4 NVI 0.04 + 0.01 0.02 + 0.01 10 12.60 
MAQRM 0.12 + 0.01 0.20 + 0.03 10 15.00 
HIGHNASHSEARCH 0.49 + 0.01 0.00 + 0.01 10 11.26 
p? 4 NVI 0.45 + 0.01 0.00 + 0.01 10 12.60 
MAQRM 0.11 + 0.01 0.22 + 0.02 0 15.00 
HIGHNASHSEARCH 0.90 + 0.15 0.00 + 0.00 0 2.16 
4t 3 NVI 0.98 + 0.00 0.00 + 0.00 4 2.18 
MAQRM 0.23 + 0.01 0.39 0.04 0 2.00 
HIGHNASHSEARCH 0.58 + 0.02 0.00 + 0.00 0 62.17 
o 5 NVI 0.05 + 0.01 0.01 + 0.01 7 80.64 
MAQRM Timeout Timeout 0 Timeout 


Results. Our results are summarized in Table 1. For each specification, we ran 
all algorithms 10 times with a timeout of 24h. Along with the average social 
welfare and €min, we also report the average number of sample steps taken in the 
environment as well as the number of runs that terminated before timeout. For 
a fair comparison, all approaches were given a similar number of samples from 
the environment. 


Nash Equilibrium. Our approach learns policies that have low values of é€min, 
indicating that it can be used to learn e-Nash equilibria for small values of e. 
NVI also has similar values of e, which is expected since NVI provides guarantees 
similar to our approach w.r.t. Nash equilibria computation. On the other hand, 
MAQRM learns policies with large values of €min, implying that it fails to converge 
to a Nash equilibrium in most cases. 


Social Welfare. Our experiments show that our approach consistently learns 
policies with high social welfare compared to the baselines. For instance, ¢° 
corresponds to the specifications in the motivating example for which our app- 
roach learns a joint policy that causes both blue and black cars to achieve their 
goals. Although NvI succeeds in learning policies with high social welfare for 
some specifications (¢!, 3, ¢*), it fails to do so for others (¢?, ¢°). Additional 
experiments (see extended version [3]) indicate that NvI achieves similar social 
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welfare as our approach for specifications in which all agents can successfully 
achieve their goals (cooperative scenarios). However, in many other scenarios in 
which only some of the agents can fulfill their objectives, our approach achieves 
higher social welfare. 


8 Conclusions 


We have proposed a framework for maximizing social welfare under the con- 
straint that the joint policy should form an e-Nash equilibrium. Our approach 
involves learning and enumerating a small set of finite-state deterministic policies 
in decreasing order of social welfare and then using a self-play RL algorithm to 
check if they can be extended with punishment strategies to form an e-Nash equi- 
librium. Our experiments demonstrate that our approach is effective in learning 
Nash equilibria with high social welfare. 

One limitation of our approach is that our algorithm does not have any guar- 
antee regarding optimality with respect to social welfare. The policies considered 
by our algorithm are chosen heuristically based on the specifications, which may 
lead to scenarios where we miss high welfare solutions. For example, ¢7 corre- 
sponds to specifications in the motivating example except that the blue car is 
not required to stay a car length ahead of the other two cars. In this scenario, 
it is possible for three cars to achieve their goals in an equilibrium solution if 
the blue car helps the cars behind by staying in the middle of the intersection 
until they catch up. Such a joint policy is not among the set of policies consid- 
ered; therefore, our approach learns a solution in which only two cars achieve 
their goals. We believe that such limitations can be overcome in future work by 
modifying the various components within our enumerate-and-verify framework. 
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Abstract. Decision trees are increasingly used to make socially sensitive 
decisions, where they are expected to be both accurate and fair, but it 
remains a challenging task to optimize the learning algorithm for fairness 
in a predictable and explainable fashion. To overcome the challenge, we 
propose an iterative framework for choosing decision attributes, or fea- 
tures, at each level by formulating feature selection as a series of mixed 
integer optimization problems. Both fairness and accuracy requirements 
are encoded as numerical constraints and solved by an off-the-shelf con- 
straint solver. As a result, the trade-off between fairness and accuracy 
is quantifiable. At a high level, our method can be viewed as a general- 
ization of the entropy-based greedy search techniques such as CART and 
C4.5, and existing fair learning techniques such as IGCS and MIP. Our 
experimental evaluation on six datasets, for which demographic parity is 
used as the fairness metric, shows that the method is significantly more 
effective in reducing bias than other methods while maintaining accuracy. 
Furthermore, compared to non-iterative constraint solving, our iterative 
approach is at least 10 times faster. 


1 Introduction 


Decision trees are one of the most widely used machine learning models in statis- 
tical analysis, data mining and decision making. Compared to other predictive 
models such as deep neural networks, decision trees have the advantage of being 
easily understandable by humans, which makes them a favorite building block in 
systems that require interpretability [34]. However, when they are used to make 
socially sensitive decisions in business, finance and law enforcement, decision 
trees may introduce bias against certain groups [16]. In this context, a widely 
used group fairness metric is demographic parity [11,38], also known as the 80% 
rule [8]. Bias against demographic groups, in general, comes from two sources. 
First, historical data used to learn models may be biased. Second, learning algo- 
rithms may be biased even if they operate on unbiased data. 

State-of-the-art decision tree learning algorithms such as CART and C4.5 [10, 
29], which are the ones used by popular machine learning toolkits, rely on a 
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Fig. 1. SFTREE — our symbolic method for synthesizing a fair decision tree. 


greedy search technique that is optimized solely for high learning speed and 
classification accuracy. Since they do not consider fairness as an optimization 
requirement at all, they often produce decision trees that are severely biased. To 
mitigate the bias, modifications have been proposed to make the greedy search 
discrimination-aware [24] (e.g., IGCS). Unfortunately, these modifications are 
not always effective as shown by our own experimental evaluation in Sect. 5 and, 
more importantly, the impact of ad hoc modifications is often unpredictable and 
difficult to explain. 

Meanwhile, there is a line of work in operational research that formulates 
decision tree learning as a mixed-integer optimization (MIO) problem [7,35]. 
Given a finite set F of decision attributes, or features, and a maximum tree 
depth K, the set of all possible decision trees is captured symbolically as a set 
of numerical constraints, which is then fed to a solver to compute the globally- 
optimal decision tree. While optimality was defined initially to minimize the 
tree size and accuracy loss [7,35], later on, fairness was added as a goal of the 
optimization [1,5]. However, the approach remains largely theoretical due to its 
limited scalability: since the entire decision tree must be encoded as a monolithic 
MIO problem, only small training datasets (with sample sizes in the 1000s) and 
small decision trees (with depths up to 4 or 5) can be handled [2,7]. 

To overcome the limitations of the existing approaches, we propose an iter- 
ative constraint solving technique for synthesizing decision trees in a practi- 
cally efficient fashion while simultaneously optimizing for fairness and accuracy. 
Instead of encoding the decision tree as a monolithic MIO formula, we break 
it down to a series of small steps to avoid the scalability bottleneck. Specifi- 
cally, starting from the root node, we use constraint solving to conduct a depth- 
bounded look-ahead search at each level of the decision tree, to compute the best 
feature. Within the look-ahead search, we encode both fairness and accuracy 
requirements explicitly as numerical constraints, to make the fairness-accuracy 
trade-off not only predictable but also easy to explain. 

The overall flow of our method, SF TREE, is shown in Fig. 1. Given a set of 
training examples (£), a set of features (F), and a sensitive feature (fs € F) as 
input, SF TREE returns the synthesized decision tree (J) as output. Internally, 
SF TREE encodes the hierarchical structure of a partial decision tree symbolically 
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starting from the current node and its training set €, covering a fixed number 
of tree levels. Then, it uses an MIO solver to compute the optimal feature, f*, 
that minimizes the bias against the protected group, the classification error, and 
the tree size. Assuming that f* € {0,1} is a Boolean predicate, the training set 
is partitioned into subsets E+ and €—,-, one for each child node. Our method 
iteratively partitions the child nodes until the training subset becomes empty, or 
all examples in E belong to the same class, or all features in F have been used. 

To demonstrate its effectiveness, we have implemented SF TREE and evalu- 
ated it on six supervised learning datasets, consisting of three small datasets and 
three large ones. Since the small datasets can be handled even by the monolithic 
MIO approach (named MIP [1]) to obtain globally-optimal and fair solutions, we 
used them to evaluate the quality of decision trees learned by our method. The 
large datasets, which are out of the reach of MIP, were used to evaluate scala- 
bility. For comparison, we also evaluated CART [27], a mainstream decision tree 
learning algorithm, and IGCS [24], a discrimination-aware learning algorithm. 

The experimental results show that, among all methods (CART, IGCS, MIP, 
and SFTREE), SFTREE produces the best overall solution in terms of fairness 
and accuracy. In contrast, CART produces unfair decision trees in most cases and, 
while IGCS does well on the small datasets, it produces mostly unfair decision 
trees for the large datasets. Neither CART nor IGCS is effective in satisfying the 
well-known 80% Rule [8] for demographic parity [11,38]. In contrast, SFTREE 
satisfies the 80% Rule in all cases. In terms of scalability, MIP fails to handle any 
of the large datasets, while SFTREE handles all of them. In fact, among all four 
methods, SF'TREE is the only one that produces fair and accurate decision trees 
for datasets with >40, 000 training samples. 

To sum up, this paper makes the following contributions: 


— We propose an iterative constraint-solving method for synthesizing fair deci- 
sion trees: 
e By formulating feature selection as a series of mixed integer optimization 
subproblems, we make the constraints efficiently solvable. 
e By encoding fairness and accuracy explicitly as symbolic constraints, we 
make the trade-off quantifiable and easy to explain. 
— We demonstrate the advantages of SFTREE over existing approaches (CART, 
IGCS, and MIP) using six popular datasets in the fairness literature. 


The remainder of this paper is organized as follows. In Sect. 2, we review 
the basics of decision tree learning and group fairness. In Sect.3, we present 
our method. In Sect. 4, we present generalization and performance enhancement 
techniques. In Sect. 5, we present our experimental results. After reviewing the 
related work in Sect. 6, we give our conclusions in Sect. 7. 


2 Background 


2.1 Training Dataset E€ 


The training dataset is a finite set of examples, E = {(x;,y;)}, where i € M is 
the index, input x; = (fi,..., fk) is a vector of features, and output y; is a class 
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interview( fa) 


Input (a) Output(y;) 0 ii 
t gender(f1) | rank(f2) | experi(fs) | interv(f4) offer 
1 0 0 1 1 1 offer=0 gender(f1) 
2 I 0 I I I {x4 26} 
3 1 1 0 1 1 0 (F) 1 (M) 
4 0 1 0 0 0 
5 1 1 0 1 1 rank( f2) offer=1 
6 1 0 1 0 0 0 1 {x2,23, 05} 
7 0 1 0 1 0 | 

offer=1 offer=0 


{xi} {x7} 


Fig. 2. An example training dataset E (left) and the related decision tree T (right). 


label. Let F be the set of all features. For ease of comprehension, let us assume 
for now that all input features and the output class label are Boolean. In this 
case, every input x; € {0,1}* is a k-bit vector in the feature space, the output 
yi € {0,1} is a bit, and a decision tree trained using E is a k-input Boolean 
function. To make the presentation clear, we may also use y; E€ {—, +} instead 
of yi € {0,1} as the output, where — means “no” and + means “yes”. 

Figure 2 shows a training set E, where each row in the table represents an 
example. The input features are a job candidate’s gender (0 = Female, 1 = Male), 
college rank (0=Low, 1= High), experience (0=No, 1= Yes), and interview 
score (0=Not-Good, 1= Good), while the output shows whether the job is 
offered (O=No, and 1= Yes). At the root of the decision tree, for instance, 
the input goes to the left branch when (f4 = 0) and to the right branch when 
(f4 = 1). The example illustrates three important notions associated with the 
training set: (1) partition of € (2) entropy, and (3) conditional entropy. 


Partition. Given a set E and a feature fj, we can partition E into subsets 
Ef=0 and E7,-1, or Ess, and Ef,, respectively, in shorthand notation. Here, 
Ef, = {(ti,yi) © E | fj(ai) = 0} consists of examples whose fj is 0, and 
Ep, = {(ti, yi) E€ E | fi(x:) = 1} consists of examples whose fj is 1. By definition, 
we have E- p, S E and Ef, S E, Ef, O Ep, = Ø and Ep U Ez, =E. 

For our example in Fig. 2, partitioning the dataset by gender (fı) results 
in subsets Efi=F = Efi = {(£1, y1) (£4, Ya) (£7, Y7) } and Ef,=M = Ep, = 
{(©2, y2) (£3, Y3) (£5, Y5) (z6, Ye) }- 


Entropy. The diversity (or purity) of a set E may be measured by Shannon 
entropy. Let |E*| be the number of examples in € with positive output label, and 
|JET| be the number of examples with negative output label. The percentage of 
positive examples is |E*|/|E|, and the percentage of negative examples is |E~ |/|E|. 
Thus, the entropy is H(€) = Flog et) klog p). 
For our example in Fig. 2, since |E~| = 3 and |E+| = 4, the entropy is H(€) = 
2log(2) — Zlog(4) ~ 0.985. 


Conditional Entropy. Given a partition of the set € by the feature fj, 
the entropy of each subset, E- p, or Ef,, is defined similarly. For our exam- 
ple, since € ,, has 2/3 negative examples and 1/3 positive examples, the 
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entropy is H(E—s,) = —$log(2) — Zlog(Z) = 0.918. Similarly, since Ef, has 
1/4 negative examples and 3/4 positive examples, the entropy is H(E;,) = 
5log(4) — #log(#) = 0.811. 
The conditional entropy of E, with respect to fj, is defined as follows: 
_ lEs IEF, 


H(E | fi) = T EEs) + Tg HE) 


For our running example, since there are 3 female and 4 male candidates, we 
have |E—,,|/|E| = 3/7 and |€;,|/|E| = 4/7. Thus, the conditional entropy is 
H(E | fi) = 2H (Ef) + $H (Es) ~ 0.857. 

The difference between H(E) and H(E | fj) is called the information gain, 
a metric for evaluating how effective f; is in separating positive examples from 
negative examples in E£. For our example, since H(€) ~ 0.985 and H(E | fi) ~ 
0.857, the information gain (of partitioning E£) by gender (fı) is 0.985 — 0.857 = 
0.128. In contrast, the information gain by interview (f4) is 0.985 — 0.516 = 
0.469. Thus, f4 is more effective as a decision attribute. 


Real- Valued Features. It is important to note that, while the above examples 
use Boolean features, our method is more general in that it allows all features 
have real values, i.e., 2; € [0,1]* instead of x; € {0,1}*. We accomplish this 
by applying one-hot encoding to any categorical feature and normalizing any 
real-valued feature to the [0,1] domain. Thus, the branch predicates become 
(fi < by) and (fj > 6,), instead of (f; = 0) and (f; = 1), where b, € (0, 1] is a 
threshold computed by our method. For example, if f; is the (normalized) salary 
and b, = 0.5, the branch predicates are (f; < 0.5) and (f; > 0.5). 


2.2 Decision Tree Learning 


A decision tree T is a binary tree consisting of a set of nodes and a set of 
edges. Let the set of nodes be V u £, where V is the subset of branch nodes 
(including the root) and £ is the subset of leaf nodes. Let E be the set of edges 
between these nodes. A path in 7 is a sequence of nodes and edges, denoted 
Vo, €1, U1 -- - Un, Ens ln, where vo is the root, J, is a leaf node, v1...uy, are the 
internal nodes, and ¢€),...,€, are the edges. 

Each edge has a branch condition. The edge is activated only if the condition 
holds for a given input x. In Fig. 2, for example, the left-most path of the decision 
tree has the condition f4(x) = 0 and output offer = 0, while the right-most path 
has the condition (f4(x) = 1) A (fi(%) = M) and output offer = 1. 

Given a training set E = {(2;,y;)}, where z; is an input and y; is the known 
output, mainstream algorithms aim to learn a decision tree 7 that minimizes 
the classification error. They also aim to minimize the tree size which, in general, 
allows 7 to generalize well on the test examples. 


The Baseline Algorithm. Algorithm 1 shows the top-level procedure of these 
mainstream algorithms. It takes the training set € and the feature set F as input, 
and returns a decision tree (T) as output. These mainstream algorithms use a 
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Algorithm 1. The baseline decision tree learning procedure T = DTL(E, F). 


Input: training set E = {(x1,y1),.--,(@n, Yn) } and feature set F = { fi, fo,..., fr} 
Output: decision tree 7 
if all examples in E have the same label [=LaBEL(€) 
return JT = LeafNode(!) 
else if F = Ø and the most common label of E is [* = MostTCommonLaBEL(€) 
return T = LeafNode(I*) 
else if € = Ø and in €.parent, we have l* = MosTComMONLABEL(€.parent) 
return T = LeafNode(I*) 
else 
T = BranchNode(f*), where f* = FINDNEXTFEATURE(E, F) 
foreach value i € {0,1} of the chosen feature f* 
R-E F PY) 
Add an edge from T to T; with label (f*(x) = i) 
: return T 


eeehe 
PWN OOwWMA oar Pwhn re 


Algorithm 2. Subroutine FINDNEXTFEATURE(E,F) used in CART. 


l l 
1: Let H(E) := — Jiet} El log( f4) > Entropy 
2: Let H(E | f) = X ieto,1} Esil H (Epi) œ Conditional Entropy 


3: return f* = argmax ser H(€) — H(E | f) 


greedy method to recursively select decision attributes from F and use them to 
partition the training set €. At each step, it selects the best feature f* using the 
subroutine FINDNEXTFEATURE. 

In CART, for example, FINDNEXTFEATURE is entropy-based, to maximize the 
information gain of partitioning € by f as shown in Algorithm 2. While this is 
fast and often leads to high classification accuracy, it does not consider fairness 
and thus often produces biased decision trees. In this work, we use iterative 
constraint solving to overcome the limitation. 

After f* is computed by FINDNEXTFEATuRE, Algorithm 1 uses it to partition 
the training set E, and recursively process the two subsets: DTL(E p -0, F \ {f*}) 
and DTL(Ey+-1,F \ {f*}). The recursion ends when 


— all training examples in the set € have the same class label (Lines 3-4); 
— there are no features left in F to split € further (Lines 5-6); or 
— the set E is empty (Lines 7-8). 


2.3 Fairness Metric 


Given a training set € and a sensitive feature fs € F, e.g., race or gender, the 
goal is to construct a decision tree 7 that maximizes classification accuracy while 
minimizing bias. The metric concerned in this work, demographic parity [11,38], 
comes from the legal guideline in the United States for avoiding employment 
discrimination. Known as the 80% rule [8], it says the percentage at which 


370 J. Wang et al. 


Algorithm 3. Subroutine FINDNEXTFEATURE(E, F) in our method. 


1: Let fs be the sensitive feature 
2: (O,®) = DTLENCODING(E, F, fs) 
3: f* = Mr1oSoLveR(O, &) 

4: return f* 


candidates from one protected group are offered jobs should be at least 80% of 
the percentage at which candidates from another group are offered jobs. 
This is formalized using the fairness index, F',(T,€), defined as follows: 


PriT (x) = + | f(z) = 0) 


Fy(T.€) = Boris) = 4 | fla) = 1 (1) 


where Pr[T(a) = + | fs(x) = 0], or Prt, in short, is the probability of pos- 
itive examples under the condition f,(#) = 0, and Pr[T (£z) = + | fs(x) = 1], 
or Pry, in short, is the probability of positive examples under the condition 
fs(x) = 1. Thus, we have Pri, = +. Leo A and Pri = 
le e € | fa(e)=1 ^a T(e)=+H 


He eE] fs(«)=1}| 
Demographic parity means 0.8 < F.(T,E) < (1/0.8) = 1.25. For the example 


in Fig. 2, since Fy, (T, E) = 0.44 for gender (fı), the tree fails to satisfy the 80% 
rule due to bias against female. The bias is explicit in that fı is actually used in 
the edge labels of the right most two paths of the decision tree. However, even if 
fi is not used in 7 explicitly, 7 may still be biased against female, for example, 
if other non-sensitive features (or their combinations) are statistically correlated 
to fı and, as a result, introduce bias against female. This is the reason why 
mitigating bias during decision tree learning is a challenging task. 


3 Our Method 


To minimize the bias and, at the same time, maximize the classification accuracy, 
we proposed to follow the top-level procedure in Algorithm 1, but formulate 
feature selection as a series of mixed-integer optimization (MIO) subproblems. 

As shown in Algorithm 3, each of our MIO subproblems consists of an objec- 
tive function O and a constraint ®, and the solution is an assignment of the 
numerical variables (shared by O and ®) that minimizes O while satisfying 8. In 
the remainder of this section, we present our symbolic encoding of the objective 
function, O, and the constraint, ®, respectively. 


3.1 The Objective Function O 


We define the function as O := Oaccu + @Otree — BO fair, consisting of com- 
ponents for accuracy loss (Oaccu), tree size (Otree), and fairness score (O fair), 
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respectively. The constants, a and (3, are used to make trade-offs. In our imple- 
mentation, a is fixed to 1/(2% +1 —2) while £ is the optimal value in [0, 1] selected 
using n-fold cross-validation. 

Specifically, we test the values 0.02, 0.04, 0.06, ... to 1.00 and, for each fold of 
the dataset, we compute the objective function and choose 8 with the minimal 
objective value. In general, a bigger 6 means more fairness. Our experiments 
show that, as Ø gets larger, Ofair remains constant initially and then starts 
increasing while Ogee, remains constant, and then Oaccu starts increasing. 

Since the decision tree structure is not known a priori, we encode a com- 
plete binary tree while allowing all branch and leaf nodes to be activated or 
de-activated. Recall that £ is the subset of leaf nodes, V is the subset of branch 
nodes, l € £L denotes a leaf node, and v € VY denotes a branch node. 


Tree Size (Otree >= J pey Pv). We assign a variable p, to each branch node 
v E€ V, to indicate if a feature is used to split v. Thus, py = 1 means v is split, 
while p, = 0 means v is not split. To get a valid decision tree, p, must be 
constrained also by formula ® (Sect. 3.2) . Assuming the number of p, variables 
is |V|, the tree size is the number of p, variables with value 1. 


Accuracy Loss (Ogecu := val Mier 1). We assign a variable L; to each leaf 
node l € £ to represent the misclassification error at l. Since we start with a 
complete tree, each leaf node corresponds to a distinct path. The actual value 
of L; is defined by formula ® (Sect. 3.3). Assuming the number of L; variables is 
|C], the accuracy loss is measured by averaging the L; values. 


Fairness Score (Ofair := F). We assign a variable F to represent the over- 
all fairness score of the decision tree. The value of F is defined by formula ® 
(Sect. 3.4) according to the definition of demographic parity. 

Next, we present our encoding of formula ® := Biree A Baccu ^ P fair, Where 
Piree encodes the hierarchical structure of the tree, Paccu encodes the accuracy 
requirement, and fair encodes the fairness requirement. They share variables 
with Orree, Oaccu and Ofair in the objective function, such as p,, Lj, and F. 
Note that, since the constraint will be solved by an off-the-shelf MIO solver, & 
must be encoded as a conjunction of equality /inequality constraints. If logical-or 
operators are needed, they must be converted to equality /inequality operators. 


3.2 Encoding of the Decision Tree (Piree) 


Given a node, which may be the root of the decision tree under construction, or 
any of its branch nodes, we consider a depth-K complete binary tree rooted at 
that node. Since it is a complete binary tree, there are precisely Tg = 25+! — 1 
nodes with indices 1...T and, for any node n, the left and right child nodes 
have indices 2n and 2n + 1, respectively. Furthermore, the set of leaf nodes is 
L = {2k 2% +1...25+1 — 1}, where |L| = 2%, and the set of branch nodes is 
V = {1,2...25 — 1}, where |V| = 2% — 1. 
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(wi ax < bi wi a > b) 


(wz a < be (wz x > b2) (w3 x < bs) wy t > b3) 


4 5 6 7 


Fig. 3. Example of a complete binary tree, where V = {1,2,3} are branch nodes, £ = 
{4, 5,6, 7} are leaf nodes, and the decision thresholds bı, b2 and b3 belong to [0, 1]. (Color 
figure online) 


— Every leaf node l e £ has an output class label, and the path from root to l 
represents a classification rule, which assigns any input x that goes through 
the path to the output class. 

— Every branch node v e VY has a vector wy of bits for selecting the feature. 
Thus, at most one bit in w, is 1, and w,[i] = 1 means feature fi is selected. 
For input x, the value of the selected feature is f;(2) = wz. 

— When node v is split by a feature, its outgoing edges are labeled (w?x < by) 
and (wT x > b,), respectively. Here, b, € (0, 1] is a symbolic threshold. When 
fi(z) = wiz is a Boolean feature and b, = 1, for example (w/z < 1) means 
fi(x) = 0, and (wT x > 1) means f;(x) = 1. 


Figure 3 shows a depth-2 binary tree whose branch nodes are colored in teal 
and leaf nodes are colored in red. The thresholds b1, b2 and b3 may be either 0 
or a value in (0, 1]: only when they are non-zero, the corresponding nodes are 
split by features. 

For instance, when by is set to 1, if edge condition (w3 x < 1) holds, input x 
goes to the left child, and if (wF x > 1) holds, x goes to the right child. When bg is 
set to 0, however, since edge condition (w3 x < 0) is always false and (wł £ > 0) 
is always true, input x always goes to the right child. In other words, bg = 0 
disallows splitting at node v = 2. 


Symbolic Variables. To model how a feature splits the training set, we define 
some symbolic variables first. 


— Input (x,;): We use x;; to model the j-th feature of the i-th input in £. 
Thus, i€ [1...n], je [1...k], n = |E], and k = |F|. The value of x;,; may be 
any real number from 0 to 1, i.e., x;,; € [0,1]. 

— Split (p,): For every branch node v € V, we use p, to model if v is split by 
a feature. The value of p, is either 0 (no) or 1 (yes). 

— Selection (wj): We use w,; to model if the j-th feature is selected by node 
v e V. The value of w,,; is either 0 (no) or 1 (yes). Since both w and x are 
k-bit vectors, wf z is the value of the selected feature for a given input 2. 

— Threshold (b,): We use b, to control the activation of branch conditions 
at node v e V. When b, = 0, input x always goes to the right child since 
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condition (wf x < 0) is unsatisfiable. Otherwise, x goes to the left child when 
(wi a < by), and to the right child when (wT x > bẹ). 

— Input Association (z;;): We use z; to model if the i-th input, 2;, is asso- 
ciated with node te {£ v V}. The value of z; is either 0 (no) or 1 (yes). 

— Empty Association (I): For every leaf node t € £, we use I; to model if t 
has any associated input. The value of J; is either 0 (no) or 1 (some). 


Formula Pree. We define the formula as ®iree := Hspuit ^ Hedge ^ Meat ^ 
Tpranch Where IT spi: encodes how features are used to split branch nodes, Hedge 
encodes the constraints on edges, IZjeq¢ encodes the constraints on leaf nodes, 
and branen encodes the constraints on branch nodes. 


Subformula Ispit. We construct Heput by constraining pv, Wy;, and by: 


k} Wvj = 1) to ensure 


pee 


1. If p, = 1, meaning v € VY is split, we require (jen 
exactly one feature is selected. We also require (b, > 0) to activate the branch 
conditions on the outgoing edges, (w?x < b,) and (wT ax > by). 

2. If p, = 0, meaning v is not split, we require (jet at k} Wuj = 0) to ensure 

no feature is selected, and (b, = 0) to de-activate the left branch. That is, 

input x always goes to the right, while the left subtree stops growing. 


Thus, we have Msprit := Ayey eq 


Subformula Ieage. We construct Ieage by constraining the p, variables: If node 
v E V stops splitting, its child nodes also stop splitting. That is, when p, = 0, 
both po, and poy; must also be 0. 

Thus, we have Hedge = Nocy (Py 2 Pæ) ^ (Py 2 Pov+1). 


k} Wyj = Pv) A (0 <S by <S Pv). 


Subformula iea. We construct ITieas by constraining variables z;, and J;: 


1. For each input x;, where i € {1,...,n} and n = |E|, we require that x; is 
associated with exactly one leaf node l € £, i.e., (yec Zi = 1). 

2. If J; = 0, meaning no input is associated with l, we require that (zi = 0) for 
allie {1,...,n}. This is encoded as \jep (zu < i). 


Thus, we have Mieaf := Nien aon} (iez zit =1)^ Nec (%it < Ih). 


Subformula Iyranche We construct [pranch by constraining Wuj, by, and Zit: 


1. In a complete binary tree, the depth-d nodes are v € {2%,...,2¢+'—1}. Since 
exactly one of them is associated with input x;, we require that condition 
Iiri := (X ueqza D 2d+1—1} Ziv = 1) holds. 

2. At each node v € V, since input x; is associated with either the left child 
L = w or the right child R = 2v +1, but not both, we require that the 
following three conditions hold: 

= Iiro = Avet24,...,24+1-1} (Ziv = %i(2v) + 24(2v+1)) 
= Tors = Noeqa, 20121} Ojei, k} Wes tig — WL — zir) < by) 
~ Tora = Avet24,...,2441-1} Oren nae k} Wj Vig + (1 — zir) 2 by) 
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Thus, we have Hiranch = Nieta, n} Naet, x-1} Mori A Hyro A Iir AN IMera). 


Explanation of I,,3 and Hyr4. What we would like to encode in Meyer is the 
fact that branch condition (}°> w,;xi; < by) may be either TRUE (x; goes to the 
left child L when zig = 1 and b, € (0,1]) or FALSE (x; goes to the right child 
R when zi = 0 and b, € (0,1], or when b, = 0). However, since off-the-shelf 
MIO solvers do not support logical-or operators, we have to encode these different 
scenarios in a single inequality constraint. This is accomplished by adding a slack 
value, —yz(1 — ziL), to the branch condition. Similarly, in Mer4, we add a slack 
value, (1 — zir), to the branch condition (X w,;xi; > by). 


3.3 Encoding of the Accuracy Requirement (Baccu) 


To minimize the accuracy loss defined in Oaccu := val Mec Li (Sect. 3.1), we need 
to constrain the L; variables in accu such that Lı models the misclassification 
error at the leaf node l e £. In the depth-K complete binary tree, there are 
|\£| = 2* leaf nodes. For each leaf node l, variable Lı represents the number of 
misclassified examples (2;, yi) € E: it is misclassified if the given output y; does 
not match the predicted output T(2;). 

The formula ®accu := Pp A Pn A Po A Pioss consists of four subformulas. 


Subformula p. For each (x;,y;) € E, where i € {1,...,n} and n = |E|, and 
for each output value m € {0,1}, we use Pim to model if (y; = m). The value of 
Pim, Which is either 0 or 1, is constim := (yi = m)? 0:1. 

Thus, we have p := Nia A},-9(Pim = constim). 


Subformula y. We use variable N; to represent the number of examples asso- 
ciated with leaf node l, and Nj, to represent those with output value m. 
Thus, we have ®y := Ajep(M = Y;a it) A (Nim = $ Dopey zall + Dim))- 


Subformula g. According to Lines 5-8 of Algorithm 1, each leaf node has an 

output class label 6; = argmax,,.-59,1; Nim. Since argmax cannot be directly 

encoded, we define a matrix of ım variables in {0,1}, where 6),, = 1 means the 

output label of node l is m. By definition, only one ım variable can be 1. 
Thus, we have Bọ := Aes (© meto,1} Pm = 1). 


Subformula oss. Assuming that m is the output label predicted by the leaf 
node l. The misclassification error, Lı, is equal to the number of examples asso- 
ciated with l, denoted N;, minus the number of examples that have the most 
common label m, denoted maXme{0,1} Nim. 

To avoid max/min in Lı = N; — maX,me{0,1} Nim = MiNnexo,13(M — Nim), 
we use im variables and constant n = |E| to rewrite the constraint as : 


(Ly > 0) A A me{o,1} (Li > Nı = Nim a n(1 = Oim)) A (Ly < Nı = Nim F NOim) 


Thus, we have Diosa = Nec (Li > 0) AAmefo,1}(Z1 > Ni—Nim—n(1—Oim)) ^ 
(Li < Mi — Nim + 261m))- 
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3.4 Encoding of the Fairness Requirement 


Formula ® fair := Or, \Pry has two subformulas. Here, ®r, encodes the fairness 
index and pm encodes the constraints on variables used in ®p,. 

According to Eq.1 (Sect.2.3), the fairness index is defined as F, = 
(Prt; /Prf ), where fs is a sensitive feature such that fs(x), for any input 
xe gE, may be 0 or 1 (e.g., female and male) while 7 (x) = + means the output 
generated by T is positive (e.g., a job is offered). According to the “80% rule”, 
demographic parity is achieved if F, is above 80%. In this work, our goal is to 
find a solution that (1) satisfies (F, > 0.8) and, at the same time (2) maximizes 
the value of F,. 

However, the definition of F, shown in Eq. 1 has division operators, which are 
not supported by off-the-shelf MIO solvers. Furthermore, the divisor part of the 
equation varies even for a fixed set € of examples, which makes the encoding a 
challenging task. To overcome the challenge, we refine the definition of as follows: 


Pry-o _ {xe€| f(x) =0,T(2) = +}| / Hæ e E | fs(£) = 0} _ S8 /S0 
Pri  |{we€| f(z) = 1,7 (x) = +}| / Hre E | f(e) =1}) S/S 
(2) 
For each of the four components, we create a symbolic variable. Variable So 
represents the number of examples whose sensitive feature has the value 0 (e.g., 
female) for the gender ( fı) feature. Variable Sj represents the number of exam- 
ples in So that have the positive output (e.g., a job is offered). Variable Sı repre- 
sents the number of examples whose sensitive feature has the value 1 (e.g., male) 
for the gender (fı) feature. Variable ST represents the number of examples in 
Sı that have the positive output. 


Subformula ®-.. We use Pp, to enforce the 80% rule: F, = oat > 0.8. 
1 


Assuming So > 0, Sg > 0, Sı > 0, and Sf > 0, we encode the rule as follows: 


Pp, := (S$ x Sı — 0.8 x So x Sf > 0) 


There are two advantages of this encoding. First, the resulting constraint can 
be solved by off-the-shelf MIO solvers, whereas a direct encoding of Eq. 2 cannot. 
Second, the value of (Sj x Sı —0.8 x So x ST) increases as F, increases; therefore, 
it can be used as part of the objective function, O fair, to maximize F. 


Subformula pm. We use pm to constrain the variables So, Sg, S1, and Sf. 

Toward this end, we need to define the following variables: 

— So;: We use variable So; € {0,1}”" to model if the value of f,(2;) is 0. Thus, 
we require So; = 1 when f;(z;) = 0, and So; = 0 otherwise. 

— Soj: We use variable So; € {0,1}”"*'! to model, at each leaf node I € £, 
if z; € E is given the positive output. Thus, we require Soj = 1 when the 
following condition holds, and So} = 0 otherwise: 


(Qim=1 A m=1 ^a w=1 A So; =1) 


In the condition above, (ım = 1) means the output label produced by the 
leaf node l is m, and (m = 1) means m is the positive output (“+”). 
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— Sı; and $13: We define variables S4; and S1% similar to So; and Soj). 


Thus, we have pm := (So = Dietan} Soi) A (Sp = Diehan} X rez Soi) ^ 
(Sı = D cost Sii) ^ (SÌ Ji See Sii). 


Putting It All Together. Recall that, in Sect. 3.3, we have constrained the 
accuracy loss, Lı, in the objective function Oaccu, and defined the objective 
function Ot;ee in Sect.3.1, which is used to minimize the tree size and thus 
reduce over-fitting. As for the objective function O fair (Sect. 3.1), we define the 
fairness score as follows: F = (Sg x Sı — 0.8 x So x Sf). 

Thus, we have the entire MIO problem as follows: 


1 
minimize Val 5 Li+a Shy — BF 

| | leL veV (3) 
subject to Paceu(Li) A Piree(pu) A Bfair(F) 


4 Generalization and Performance Enhancement 


In this section, we first explain how our method relates to various existing algo- 
rithms (Sect. 4.1). Next, we present techniques for speeding up constraint solving 
while maintaining the quality of the solution (Sect. 4.2). Finally, we show that, 
beyond demographic parity, our method can encode other group fairness metrics, 
such as equal opportunity and equal odds (Sect. 4.3). 


4.1 Relating to Existing Algorithms 


Recall that our method performs feature selection by symbolically encoding a 
depth-K binary tree, to perform a bounded look-ahead search of the optimal 
feature using the MIO solver. For ease of presentation, let us call the selected 
feature depth-K optimal, where K e {1,..., +0}. 


Depth-1 Optimal. When K = 1, the tree consists of the root node only and, 
as a result, look-ahead search is disabled. In this case, our method is the same 
as a purely greedy search method. Depending on whether fairness is encoded, 
there are two cases. 


— Without the fairness component, our method would compute the depth-1 
optimal feature that minimizes only the tree size and the accuracy loss. This 
is similar to mainstream decision tree learning algorithms such as CART. 

— With the fairness component, our method would compute the depth-1 optimal 
feature that minimizes the tree size and the accuracy loss, and maximizes the 
fairness score. This is similar to IGCS [24], an discrimination-aware technique 
for learning decision trees. 


Our experimental evaluation (in Sect.5) shows that neither CART nor IGCS is 
effective in improving fairness, especially for larger datasets, primarily due to 
their inability to look beyond the current node. 
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Depth-co Optimal. When K is set to a sufficiently-large number, our method 
is able to find the globally optimal feature for not only the root node, but also 
other nodes in the decision tree. Thus, it would compute the entire decision tree 
in one shot. 


— Without the fairness component, our method would act like the technique 
introduced by Bertsimas and Dunn [7], which laid the ground work for encod- 
ing an optimal classification tree as a monolithic MIO problem. 

— With the fairness component, our method would act like MIP, a fair learning 
technique introduced by Aghaei et al. [1]. 


Our experimental evaluation (in Sect. 5) shows that the computational overhead 
of the monolithic MIO approach or MIP is too high to be practically useful. We 
discuss how to set the value of K in our method in the next subsection. 


4.2 Performance Enhancement 


We propose two techniques for speeding up our method by (1) choosing the K 
value adaptively and (2) sampling the training examples in €. 


Choosing the K Value Adaptively. There is a trade-off between looking 
further ahead and reducing the constraint solving time. Given n = |E| training 
examples, and 2* leaf nodes in a depth-K binary tree, the number of decision 
variables (such as So,;) would be (n x 2%). Since mixed-integer optimization is 
NP-hard, the complexity of constraint solving is O(2"*2"), Empirically, we have 
found that Gurobi, a state-of-the-art solver, may take 1-2 h to solve a problem for 
n = 1000 training examples and tree depth K = 7—this is consistent with prior 
experimental results, e.g., Bertsimas and Dunn [7]. Unfortunately, supervised 
learning datasets in practice often bring as many as 50,000 training examples to 
the root node of a decision tree, although the number decreases gradually and 
may reach 0 for some leaf nodes. Therefore, setting K to 7, or any predetermined 
value, would not work well in practice. 

Instead, we propose to set the K value adaptively. Given a time-out limit 
(T/O) for learning a decision tree, we start with a relatively small K value, say 
K = 2, to synthesize a decision tree. Then, we increase the K value to synthesize 
a better decision tree. We keep increasing the K value as long as the time limit 
is not yet reached, and the quality of the decision tree is improved. We measure 
the quality of the tree using the value of the objective function, O, which consists 
of the tree size, the accuracy loss, and the fairness score. 


Sampling the Training Examples. We propose to reduce the size of the 
constraints in ® by sampling the training examples in €, before using them to 
construct the formula ®. Our experience shows that sampling can reduce the 
value of n significantly and, at the same time, maintaining the quality of the MIO 
solution. For the adult dataset, which has 48, 842 training examples, even with 
a small K value, the symbolic constraints would take more than 1h to solve. 
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Algorithm 4. Subroutine FINDNEXTFEATURE(E,F) with our enhancement. 


1: Let fs be the sensitive feature 

2: if |E| < 8000 then (O, 8) = DrLEncopine(E,F, fs) 
3: else (O,®) = DTLENCODING(E|sampled;, F, fs) 

4: return f* = M1oSoLveR(O, ®) 


Empirically, we have observed that the feature computed by depth-k look- 
ahead using 8,000 randomly-chosen examples is almost as good as the feature 
computed using all examples. Based on this observation, we set the thresh- 
old (n < 8000), i.e., at most 8,000 examples from € are used in the sym- 
bolic constraints in Algorithm 4, where ® = DTLEncopine(E, F, fs) is invoked if 
JE] < 8000. Otherwise, £ is replaced by the randomly-sampled subset E |sampled- 

Our sampling method is not directly applicable to the original MIP approach 
because, if sampled data are used as input, the MIP solving procedure would 
permanently discard the rest of the data, which would significantly degrade its 
accuracy. In contrast, sampling in our method only causes the rest of the data 
to be ignored temporarily (for this particular node) but, for the child nodes in 
the subtree, the entire data will still be used in the subsequent computation. 


4.3 Encoding Other Group Fairness Metrics 


Beyond demographic parity, there are two popular metrics for group fairness, of 
which one is equal opportunity and the other is equalized odds. 


Equal Opportunity. In addition to the sensitive feature fs, there is a decision- 


‘ti ; + |z € E | f(x)=0, fe(e)=1, T(æ)=+| _ S$ 
critical feature fe. Let Py io pa1 = AAA OEA OS = 2 and 
Piaf- = zs Cera TAT Hl z5 A decision tree 7 satisfies 


equal opportunity if the following condition holds (for a small €). 


Py pai — PF, 0,fe-1 S € (4) 


In our method, Eq. 4 may be encoded as Beg := ST So — S9 Sı — Eso S1 < 0, to 
replace ®p, in the fairness requirement ® fair := Pr, A Prm. The definitions of 
variables So, Sg, Sı and SŤ are analogous to that in Sect. 3.4. Similarly, we can 
define fairness decision variables So;, Soi $1;, and Sii. For example, the value 
of So; is set to 1 if f,(aj;) =O A f.(x;) = 1 and is set to 0 otherwise. 


Equalized Odds. To satisfy equalized odds, we must satisfy Eq.4, as well as 
the condition below: 

Py =ign0 — Pj-0,f.0 
Since Eq. 5 can be encoded similarly to Eq. 4, the details are omitted for brevity. 


<e. (5) 
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Table 1. Comparing our method with existing methods on small benchmarks. 


Benchmark SFTREE (ours) CART [27] IGCS [24] MIP [1] 
Accuracy | Fairness | Accuracy | Fairness | Accuracy | Fairness | Accuracy | Fairness 

German Fold1 77.5% 0.82 83.0% 0.65 74.0% 0.84 80.5% 0.82 
German Fold2 80.5% 0.81 85.0% 0.67 78.5% 0.78 83.5% 0.82 
German Fold3 76.0% 0.84 79.0% 0.71 73.5% 0.80 78.5% 0.84 
German Fold4 81.0% 0.80 83.5% 0.65 76.0% 0.84 81.0% 0.89 
German Fold5 80.5% 0.81 85.0% 0.66 77.0% 0.81 83.0% 0.81 
Salary Fold1 81.8% 0.82 90.9% 0.59 81.8% 0.82 81.8% 0.82 
Salary Fold2 72.7% 0.83 90.9% 0.57 81.8% 0.77 81.8% 0.84 
Salary Fold3 72.7% 0.83 81.8% 0.62 72.7% 0.83 81.8% 0.83 
Salary Fold4 81.8% 0.82 90.9% 0.61 81.8% 0.82 81.8% 0.82 
Salary Fold5 81.8% 0.81 81.8% 0.57 72.7% 0.73 72.7% 0.83 
Student Fold1 71.2% 0.84 75.9% 0.58 72.1% 0.78 72.8% 0.87 
Student Fold2 70.3% 0.81 75.1% 0.63 69.3% 0.82 72.8% 0.85 
Student Fold3 70.9% 0.81 73.6% 0.57 71.4% 0.81 73.6% 0.85 
Student Fold4 69.1% 0.82 75.1% 0.61 69.3% 0.77 71.3% 0.84 
Student Fold5 71.5% 0.84 77.5% 0.53 72.0% 0.81 75.1% 0.84 


5 Experiments 


We have implemented our method, SF TREE, using Python, Julia 1.5.1 [15], and 
Gurobi 9.03 [21], where Julia is used to encode the MIO constraints and Gurobi is 
used to solve the constraints. We compared SF TREE with three state-of-the-art 
techniques: CART, which is a mainstream algorithm for decision tree learning, 
IGCS, which is a discrimination-aware learning algorithm, and MIP, which is a 
monolithic MIO approach to learning fair tress. We conducted all experiments 
with Catalina running on a macOS with 2.4GHz 8-Core CPU and 64G RAM. 


Benchmarks. Our evaluation uses six popular benchmarks from the fairness 
literature. They are divided to three small datasets and three large datasets. 
Since the small datasets can be handled by the less-scalable but more-accurate 
MIP to obtain globally optimal solutions, they are useful in evaluating the quality 
of our method. The large datasets, in contrast, are out of the reach of MIP and 
thus useful in evaluating the scalability of our method. 


— Among the small datasets, German [23] (predicting credit risks) has 1000 train- 
ing examples and 20 features; Student [12] (predicting student performance) 
has 649 training examples and 33 features; and Salary [36] (predicting the 
salary level) has 52 training examples and 16 features. In these datasets, the 
sensitive feature is gender. 

— Among the large datasets, Adult [14] (predicting the earning power) has 
48,842 training examples and 14 features (with race as the sensitive feature); 
Default [37] (predicting loan default risk) has 30,000 training examples and 
23 features (with gender as the sensitive feature); and Compas [13] (predicting 
the recidivism risk) has 10,500 training examples and 16 features (with race 
as the sensitive feature). 
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Table 2. Comparing our method with existing methods on large benchmarks. 


Benchmark SFTree (ours) CART [27] IGCS [24] MIP [1] 
Accuracy | Fairness | Accuracy | Fairness | Accuracy | Fairness | Accuracy | Fairness 
Adult Fold1 80.3% 0.81 83.0% 0.54 82.8% 0.51 - - 
Adult Fold2 77.4% 0.86 80.0% 0.57 81.9% 0.68 - - 
Adult Fold3 75.7% 0.84 79.8% 0.57 81.3% 0.72 - - 
Adult Fold4 78.1% 0.83 82.1% 0.55 83.0% 0.62 - - 
Adult Fold5 77.1% 0.86 82.6% 0.55 75.7% 0.68 - - 
Default Fold1 80.5% 0.81 84.7% 0.64 81.3% 0.77 - - 
Default Fold2 84.7% 0.81 86.3% 0.61 84.0% 0.73 - - 
Default Fold3 80.5% 0.83 83.2% 0.66 82.7% 0.75 - - 
Default Fold4 78.8% 0.85 84.1% 0.64 81.5% 0.73 - - 
Default Fold5 81.4% 0.82 83.9% 0.64 81.7% 0.71 - - 
Compas Fold1 86.4% 0.89 92.8% 0.63 86.7% 0.81 - - 
Compas Fold2 89.8% 0.96 92.5% 0.61 87.5% 0.83 - - 
Compas Fold3 85.3% 0.94 90.4% 0.67 88.9% 0.74 - - 
Compas Fold4 87.2% 0.96 92.6% 0.63 92.0% 0.61 - - 
During learning, we apply the standard 5-fold cross validation expect for Compas, 
to which we apply 4-fold cross validation to be consistent with prior work. 


Results on the Small Benchmarks. We compare the quality of the decision 
trees learned by our method and three existing methods on the small bench- 
marks. The results are shown in Tablel, where Column 1 shows name of the 
dataset, Columns 2-3 shows the result of our method in terms of accuracy and 
fairness, computed by cross-validation, Columns 4—5 show the result of CART, 
Columns 6-7 show the result of IGCS, and Columns 8-9 show the result of MIP. 
Since the datasets are small, MIP is able to compute the best solutions: without 
violating the 80% Rule, it maximizes accuracy. 

The result shows that, overall, CART has the best accuracy but the worst 
fairness score. IGCS improves over CART, but still violates the 80% Rule in 5 out 
of the 15 cases. In contrast, SFTree satisfies the fairness requirement in all 15 
cases and, at the same time, achieves high accuracy. Furthermore, it runs more 
than 10 times faster than MIP. 


Results on the Large Benchmarks. We use these benchmarks to evaluate 
both the quality and the scalability of our method. Table 2 shows the result of the 
quality comparison, which has the same format as Table 1. CART has the highest 
accuracy but fails to satisfy the fairness requirement in all 14 cases. Although 
IGCS is somewhat effective for the small benchmarks in Table 1, here, it fails to 
satisfy the fairness requirement in 12 of the 14 cases. In contrast, our method is 
the only one that satisfies the fairness requirement in all cases and, at the same 
time, has accuracy comparable to CART and IGCS. 

Table 3 shows the execution time comparison. MIP times out in all 14 cases 
(T/O = 3h), while our method finishes each within 1h. Thus, our method runs 
more than 10 times faster than MIP. Although CART and IGCS are faster, they are 
equivalent to depth-1 look-ahead search in our method and, due to the limited 
ability to look ahead, they almost never satisfy the fairness requirement. 
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Table 3. Comparing the run time of methods on large benchmarks (T/0 = 3h). 


Benchmark SFTree | CART [27] | IGCS [24] | MIP [1] || Benchmark SFTree | CART [27] | IGCS [24] | MIP [1] 
Adult Fold1 2064s 39s 40s T/O || Default Fold1 | 2499s 28s 28s T/O 
Adult Fold2 2119s 39s 39s T/O || Default Fold2 | 2478s 29s 29s T/O 
Adult Fold3 2075s 39s 40s T/O || Default Fold3 | 2526s 29s 29s T/O 
Adult Fold4 2090s 39s 40s T/O || Default Fold4 | 2536s 28s 29s T/O 
Adult Fold5 2091s 39s 39s T/O || Default Fold5 | 2531s 28s 29s T/O 
Compas Fold1 | 2115s 15s 16s T/O || Compas Fold2| 2137s 15s 15s T/O 
Compas Fold3 | 2129s 15s 15s T/O || Compas Fold4| 2166s 15s 15s T/O 
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Fig. 4. How accuracy and fairness of the learned decision tree change with the K value 
for the Student dataset. For each K = 1,...,7, we plot the fairness and accuracy scores. 


Evaluating the Impact of the K-value. We have also evaluated how the K 
value affects the quality of the learned decision tree using the Student Fold1 
benchmark. Since the benchmark is small enough, we set K to fixed values 
1,...,7 instead of letting it adapt, so we can assess the impact. Figure 4 shows 
the result, where the z-axis is accuracy and the y-axis is the fairness score. Thus, 
the closer a dot is to the right-top corner, the higher the overall quality is. The 
result shows that the quality of our solution increases dramatically as the K 
value increases from 1 to 7, due to the increasingly deeper look-ahead search. 


Summary of Additional Results. While we have also evaluated the scalabil- 
ity of our method with respect to the dataset size, we omit the results for brevity 
and instead provide a summary. What we have found is that, as the dataset gets 
larger, the execution time of our method increases modestly at first, and then 
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stops increasing after a threshold is reached. This is due to the use of perfor- 
mance enhancement techniques presented in Sect. 4. Thus, our method does not 
have scalability issues. In fact, among all four methods, SFTREE is the only 
one that consistently produces fair and accurate decision trees for datasets with 
>40,000 training samples. 


6 Related Work 


At a high level, our method can be viewed as an in-processing approach to 
mitigating bias in machine learning models. Broadly speaking, there are three 
approaches: pre-processing [17,25,31], in-processing [11,19,24,30,33] and post- 
processing [18,22], depending on whether the focus is on de-biasing the training 
data, the learning algorithm, or the classification output. 

Since the pre-processing approach focuses on de-biasing the training data [17, 
25,31], it is applicable to any machine learning model; however, it cannot remove 
bias introduced by the learning algorithms, which is problematic because, even 
if the training data is not biased, learning algorithms may introduce new bias. 
While the post-processing approach can remove such bias by modifying the pre- 
dicted output [18,22], the result is often hard to predict and difficult to explain. 
In contrast, our method does not have these limitations. 

Compared to other in-processing techniques for fair learning decision trees, 
including IGCS [24] and similar greedy search methods [11, 19,30,33], our method 
has the advantage of being more systematic and quantifiable. This is because 
we encode both accuracy and fairness requirements explicitly as numerical con- 
straints. Thus, it would be easy to explain, at every step, why a feature is chosen 
over another feature, and quantify how much more effective it is in minimizing 
bias and accuracy loss at the same time. Compared to the monolithic constraint 
solving approach, including MIP [1] and similar methods [5,35], our method has 
the advantage of being significantly more scalable. 

Our method differs from the recent work of Torfah et al. [32] in that their 
method uses a small training set sampled from a known distribution and thus 
does not need techniques such as incremental solving. Furthermore, their method 
assumes the decision predicates are given, but in our method, the predicates 
are synthesized from real-valued features. Finally, our fairness constraint is also 
different from the explainability constraint. 

Besides synthesis, there are techniques for improving fairness by repairing an 
existing machine learning model [4,9,20,26], and techniques for verifying that 
an existing machine learning model is indeed fair, e.g., by using probabilistic 
analysis methods [3,6,28]. While these techniques are related, they differ from 
our method in that they cannot synthesize new decision trees from training data 
while ensuring the decision trees are fair by construction. 
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Conclusion 


We have presented a method for synthesizing a fair and accurate decision tree, 
by formulating feature section as a series of mixed-integer optimization problems 
and solve them using an off-the-shelf constraint solver. The method is flexible in 
expressing group fairness metrics including demographic parity, equal opportu- 
nity, and equal odds. On popular datasets, it is able to learn decision trees that 
satisfy the fairness requirement and, at the same time, achieve a high classifica- 
tion accuracy. 
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Abstract. Machine learning compilers are large software containing 
complex transformations for deep learning models, and any buggy trans- 
formation may cause a crash or silently bring a regression to the pre- 
diction accuracy and performance. This paper proposes an SMT-based 
translation validation framework for Multi-Level IR (MLIR), a compiler 
framework used by many deep learning compilers. It proposes an SMT 
encoding tailored for translation validation that is an over-approximation 
of the FP arithmetic and reduction operations. It performs abstrac- 
tion refinement if validation fails. We also propose a new approach for 
encoding arithmetic properties of reductions in SMT. We found mis- 
matches between the specification and implementation of MLIR, and 
validated high-level transformations for SqueezeNet, MobileNet, and 
text_classification with proper splitting. 


1 Introduction 


Machine learning compilers play a crucial role in the deep learning ecosystem. 
Their primary goal is to lower high-level tensor operations into fast machine 
instructions. To boost the speed of training and inference, they utilize several 
optimizations. Tensors’ layouts may be changed for spatial locality, and loops 
lowered from tensor operations may be fused and offloaded into GPUs if benefi- 
cial. Any bug in the optimizations may cause a crash or silently bring a regression 
to the prediction accuracy and performance. 

However, verifying machine learning compilers is a challenging goal. Open- 
source compilers like XLA, Glow, and MLIR are being updated daily. As their 
intermediate representations (IRs) are for internal uses, they are sometimes 
underspecified, making their formalization hard. Furthermore, programmers 
want to boost the performance at the expense of precision by allowing unsafe 
arithmetic properties such as associativity of addition. 
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Recently, SMT-based automatic translation validation has gained atten- 
tion [33] because it fits well with fast-moving industrial compilers. Translation 
validation is an approach to checking whether a specific compilation is correct by 
inspecting the source (input) and target (output) programs. To cover a variety 
of compiler optimizations, it uses an SMT solver which is an automatic theorem 
prover for first-order logic. Using an SMT solver allows us to quickly explore possi- 
ble semantics for IRs by implementing them and validating compilations of various 
programs. 

A key challenge is how to make SMT solvers prove the verification condition 
in a reasonable time. To use an SMT solver, the given problem must not be too 
complex. Bit-vector and uninterpreted function (UF) theories are well-supported 
by the majority of solvers, whereas floating-point numbers are not [14]. This 
implies that finding an efficient encoding for tensors and their operations is 
important for practical validation of machine learning compilers. 

In this paper, we propose an SMT-based translation validation framework 
for Multi-Level IR (MLIR). MLIR is a compiler framework for facilitating the 
modular development of domain-specific compilers by sharing IRs and relevant 
transformations. MLIR is primarily used by TensorFlow, TFLite, and IREE. 
More deep learning frameworks like PyTorch are adding supports for MLIR. 

Our goal is to validate high-level, target-independent intraprocedural trans- 
formations in MLIR. These include lowering high-level tensor operations to loops, 
bufferizing tensors, simplifying tensor /buffer operations, and simple loop opti- 
mizations. Our tool does not receive hints about the ongoing transformation 
from the compiler. 

The list of contributions of our paper is as follows: 


— The first SMT-based translation validation for MLIR (Sect. 3). 

— An abstract representation of FP arithmetic for translation validation 
(Sect. 4). 

— An SMT encoding of tensor operations and loops as well as fast encoding of 
arithmetic properties of reduction operations (Sect. 5). 

— Validation of compilation of three deep learning models as well as hundreds 
of unit tests in MLIR (Sect. 7). 

— A discovery of several ambiguities in the semantics of MLIR (Sect. 7). 


2 Multi-level Intermediate Representation (MLIR) 


The MLIR project is an open-source compiler infrastructure that facilitates the 
modular development of domain-specific compilers by sharing reusable parts. 
The reusable parts are dialects and relevant compiler transformations. A dialect 
is a subset of a compiler’s intermediate representation language. An intermediate 
representation (IR) program in MLIR is expressed using one or more dialects. 
They are ultimately lowered into the input languages of low-level code generation 
frameworks such as LLVM IR or SPIR-V through first-class dialects. We will 
introduce several core dialects in MLIR, which are also our targets for validation. 
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Dialects for Tensors. The tensor and tosa (Tensor Operator Set Architec- 
ture) dialects define the tensor type and operations. Pre-trained machine learning 
models can be lowered to them via importers. 

A tensor type consists of an element type and dimensions. The tensor dimen- 
sions can be dynamic, which are retrievable in runtime. Its elements can be 
accessed through, e.g., tensor . extract with valid indices. Tensor registers do not 
alias each other and are in the static single assignment (SSA) form. tosa provides 
a set of operations commonly employed by deep neural networks, such as a convo- 
lution or pooling. 


// f32 is the float type in C #mapO = affine_map<(d0, d1, d2)->(d0, d2)> 
func @calc(/img : tensor<2x64x64x3xf32>, #map1 = affine_map<(d0, d1, d2)->(d2, d1)> 
7yfilter : tensor<16x3x6x3xf32>) { #map2 = affine_map<(d0, d1, d2)->(d0, d1)> 
7%cO = arith.constant -0.0 : £32 // i32 is the 32-bit int type in C 
%bias = tensor.from_elements %cO, ... , %cO output = linalg.generic { 
: tensor<16xf32> // #mapO, #map1: maps for 4A, 4B 
%res = tosa.conv2d(/img, /filter, /bias) // #map2: a map for %C 
...7>tensor<2x62x59x16xf32> indexing_maps = [#map0, #map1, #map2], 
return %res : tensor<2x62x59x16xf32> iterator_types = ["parallel", "parallel", 
} "reduction"]} 
ins(/4A, %B : tensor<16x8xi32>, 
(a) A convolution operation. tensoy<8x32x132>) 


outs(%C : tensor<16x32xi32>) { 

“bbü(Xa; 132, Xb: i32, Ze: i132): 
#col_major = affine_map<(d0, d1)->(d1*3+d0)> fab = arith.muli %a, %b : i32 
func @example(%arg0 : memref<2x3xf32>, %res = arith.addi fc, hab : i32 


argi : memref<2x3xf32, #col_major>) { linalg.yield %res : i32 
} -> tensor<16x32xi32> 


(b) Two memref arguments. (c) 4C+%A x %B in linalg. 


Fig. 1. Dialects for tensors and buffers in MLIR. 


The @calc function in Fig. 1(a) takes two tensor arguments, performs convo- 
lution (tosa.conv2d), and returns the result. The input bias and output tensor 
are stored at tensor-typed virtual registers {bias and %res. Note that different 
dialects — tensor, tosa, and arith (dialect for simple arithmetic operations) — 
can exist in one IR program. 


MemRef Dialect. The memref dialect has a type for memory references (which 
is also called memref) and relevant operations. The memref type is similar to a 
pointer type in C but has richer information than that. It has a layout map that 
maps multidimensional, logical indices into a one-dimensional, physical address!. 
It is used to create a view of a specific memory region in the form of a tensor. It 
supports arbitrary access patterns such as strided accesses or a transposed view. 
MLIR transformations assume that the layout map is injective. 

Figure 1(b) shows two memref arguments with different layout maps. ZargO 
has a default row-major layout map. On the other hand, %arg1 has a column- 
major layout map meaning that Zargi[i] [j] is located at offset (i + j x 3) 
from the reference point. The values multiplied by offsets d0, d1 (1 and 3 in 
#col_major) are called strides. 


1 Its domain can also be multidimensional in general, but we do not support the case. 
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Linalg Dialect. The linalg dialect contains various loop-like operations on 
tensors and buffers. linalg operations are more primitive than tosa’s and can 
be performed on buffers. 

In linalg, one can represent a generic loop in a structured form using the 
linalg.generic operation. Each loop explicitly takes input tensors or buffers 
as its operands. The loop’s indexing maps describe which elements are chosen 
at each iteration. The elements chosen from the inputs at an iteration are rep- 
resented as input arguments of the loop body region. 

The loop body yields a value at each iteration, and the results constitute 
the output elements. A loop that takes an output buffer writes the resulting 
elements to the buffer. A loop that takes an output tensor stores the resulting 
tensor in a new tensor register, which can later be used as another input tensor. 

Figure l(c) shows how to represent %C+%A x %B for three matrices %A, 4B, and 
%C in linalg.generic. %C and the resulting tensor (Zoutput)’s shapes must be 
the same. The linalg. generic is a triple nested loop that has three induction 
variables d0, d1, d2. The indexing_maps describe which elements of the tensors 
are retrieved in each iteration. The retrieved elements are assigned into block 
arguments 4a, 4b, and 4c of the loop body. The loop body performs integral 
multiplication (arith.muli) followed by addition (arith.addi) and yields it to 
the next iteration which again becomes 4c. iterator_type shows that the third 
(innermost) loop is a reduction loop because it is doing summation, whereas the 
two outer loops can be parallelized. 

linalg is the source and target dialect of several key transformations. First, 
tosa’s operations can be lowered into the combination of linalg’s operations 
on tensors. Second, bufferization on linalg’s operations changes their tensor 
operands into buffers. Third, the linalg. generic loops can be optimized into 
fused linalg.generic loops or simpler operations. Fourth, conversions from 
linalg to lower level dialects yield for loops (affine, scf) or control-flow graphs 
(standard). 


Transformations in MLIR. MLIR provides transformations that (1) convert 
the input programs written in high-level dialects into the low-level ones, or (2) 
optimize the input program into more efficient form. Except for those that inten- 
tionally change the input program’s behavior, transformations must preserve the 
behavior. 


3 Overview 


In this section, we introduce mlir-tv, a translation validation framework for 
MLIR. Like other frameworks [22,33,36,41,42], mlir-tv takes two programs 
written in the IR and checks whether the transformation is correct. Since 
mlir-tv targets intraprocedural transformations, functions in the two programs 
with the same signature are checked pairwisely. mlir-tv relies on an SMT solver 
to automatically prove that the transformation is correct or find a counterexam- 
ple if incorrect. 
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mlir-tv symbolically encodes each MLIR instruction in a function and emits 
its final state in a logical formula. After encoding the final states of the source 
and target functions fsrc and frige, mlir-tv checks a refinement predicate using 
an SMT solver. The predicate states that for any input state I consisting of 
an initial memory and argument values, ferc(Z) 3 figt(£) must hold where 3 
is a refinement relation between two final states (Sect. 6.3). If the SMT solver 
finds an input that breaks the refinement, mlir-tv concludes that the compiler 
transformation is incorrect. If the SMT solver proves that such input does not 
exist, the transformation is correct. 


3.1 Abstraction for Floating-Point Arithmetic 


For practical validation of tensor transformations, it is crucial to efficiently rep- 
resent floating-point (FP) arithmetic in SMT. SMT-LIB 2 formally supports 
IEEE-754 [10] under the name of the FPA theory [37]. SMT solvers support- 
ing the FPA theory typically simulate the hardware implementation of the FP 
arithmetic by representing their bits as boolean variables and converting FP 
operations into boolean expressions (called bit-blasting) [13]. Then, the formula 
can be efficiently solved using their highly optimized SAT solvers. 

However, there are two challenges in using the FPA theory to prove transfor- 
mations on tensors. First, encoding FP arithmetic in SMT is expensive because 
solvers internally yield large expressions. Also, a significant portion of tensor 
transformations does not require such precise encoding. For example, bufferiza- 
tion is agnostic to the representation of the underlying values because its goal 
is moving the virtual registers to memory buffers correctly. Second, machine 
learning compilers want to support transformations that are incorrect under 
IEEE-754 for performance. We cannot simply rely on FPA in this case because 
it will invalidate the transformations. 

To address these concerns, mlir-tv abstractly encodes the FP operations 
(Sect.4). We find an abstract domain for FP numbers that is specific to the 
transformation to validate. It uses over-approximations meaning that a successful 
validation implies the correctness of the transformation. If it is not validated, 
mlir-tv refines the abstraction and try validation again (Sect. 6.3). 


3.2 The Formal Semantics of Dialects 


Since there is no official formal semantics for MLIR dialects yet, we read the 
textual specification of MLIR dialects and represented them in the encoding 
function. The function returns the final state in SMT expressions. Therefore, it 
implicitly defines the big-step formal semantics of the dialects in MLIR. Also, the 
function contains encoding rules for each instruction, which implicitly represent 
its small-step semantics. 

Note that we are not proposing new formal semantics for unsafe FP arith- 
metic. We assume that there exists a valid FP semantics that satisfies certain 
arithmetic properties. The concrete semantics of FP operations is hidden under 
the uninterpreted functions used for the abstract encoding. The semantics of 
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unsafe FP arithmetic is often explained using nondeterministic execution [11] 
and encoding it in SMT requires universal quantification which is expensive. 


4 Encoding Floating-Point Numbers and Tensors 


To overcome the challenges described in Sect. 3.1, we devise an abstract encoding 
of FP arithmetic tailored for translation validation. In this abstract encoding, 
an FP number is represented as a bit-vector that is typically smaller than its 
original bit width. The operations on FP numbers are represented as UFs satis- 
fying arithmetic properties like commutativity. Our encoding does not miss bugs 
because it is an over-approximation of the FP arithmetic. On the other hand, 
validation failure does not always mean that the transformation is wrong. 


4.1 Abstract Domain of Floating-Point Numbers 


We begin with defining an abstract domain for FP numbers that is specific to 
the transformation to validate. We count the number of distinct FP numbers 
that are required to express at least one counterexample if the transformation is 
incorrect. As a result, if it is possible to prove that no counterexample is found 
in this abstract domain, no concrete counterexample can exist. 

Consider a transformation that swaps the 
two operands of FP addition. An invocation of // The source function 
the source function (top) can observe at most func @f(%a: £32, %b: £32) { 
three distinct FP numbers because it has three %c_src = addf %a, hb: £32 
FP registers %a, %b, and %c_src. Similarly, the return %c_src: £32 
target function (below) can observe at most + 
three different numbers. The number of distinct 
FP numbers required to validate the transfor- func @f(%a: £32, Yb: £32) { 
mation is not greater than 4 = 3+ 3 — 2 since “dc_tgt = addf ‘tb, Ya: £32 
two of those are shared as arguments. return %c_tgt: £32 

After counting the number, we abstractly } 
represent the values of FP registers and con- 
stants using bit-vectors. For the above example, 2 bits are enough in theory 
because 4 < 27. We will use notation [4a] to represent the abstract bit-vector 
value of 4a. In SMT, two bit-vector variables are declared for 4a and %b because 
they can be any value, and %c_src and 4%c_tgt are defined as expressions with 
respect to the variables. 


// The target function 


Defining Operations. To abstractly define addf, we declare a UF for addition. 
If the arithmetic properties of addition are ignored, Jaddf(/4a, %b)] may be 
defined as addfgyr([%a], [»b]) where the definition of UF addfgyr is arbitrarily 
determined by the SMT solver. Since the solver’s goal is to find a counterexample, 
it will try to find a definition of addfgy; that breaks the transformation. If the 
solver couldn’t find one, the transformation is correct under any definition of FP 
addition. 
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Note that validating the above example requires encoding commutativity 
‘addfgur([ha], [%b]}) = addfsur([%b], [%a])’. Instead of using an expensive univer- 
sal quantification, we encode addition as ‘addf§y7(a, y) & addfgyr(y, x)’ where & is 
the bitwise and operation and addf fy, is another UF. Without loss of generality, 
it encodes all possible commutative functions?. 

To encode the result of operations on +0, +1, +fMAX (finite max), too and 
NaN, we use the ite (if-then-else) expression in SMT. For example, to encode 
‘NaN + y = NaN’, the expression is wrapped with an ite that checks if one of 
the inputs is NaN. Combined with the commutativity encoding, the expression 
for x + y becomes as follows. ‘x is NaN’ is the SMT formula checking x is NaN 
by inspecting x’s abstract representation which will be described later. 


ite(x is NaN Vy is NaN, NaN, addfgyr(x,y) & addfgur(y, 2)) 


Using UFs and ites, we abstractly encode +, —, x, / and x”. Subtraction is 
defined as an addition of the negated second operand. Division is not equivalent 
to multiplication of the inversed operand due to the existence of subnormal 
values. Therefore, it is encoded using a separate UF. 

Comparisons, |x| and —z are precisely encoded because our bit-vector repre- 
sentation natively supports them. Their representation will be described below. 


Bit-vector Structure. A bit-vector for FP consists of a sign bit (SB) at its 
most significant bit and magnitude bits (MB) at the entire lesser significant bits. 
They represent the sign and the order of absolute value of the original number, 
respectively. Therefore, comparing the magnitudes of two finite FP numbers is 
equivalent to simply comparing their MBs. If MB[1...|MB] — 1] are all set to 
1, the original value is co (MB[0] = 0) or NaN value (1). Unlike IEEE-754 [10] 
which have multiple NaN values per sign, we have one representation per signè. 

The bit-vector representation of an FP constant number is a concatenation of 
the sign bit and magnitude bits which is a bit-vector variable in SMT. The bit- 
vector variables are given preconditions so that a constant with a larger absolute 
value is guaranteed to have larger MB. 


Supporting Floating Point Casts. To support FP casts, MB is further split 
into three parts: limit bits (LB), truncated bits (TB), and precision bits (PB) 
in descending significance order. These parts determine the result of casting the 
value into a smaller FP type. LB represents the overflow condition. If LB is 0, a 
cast to the smaller size yields a finite value. If not, it yields +00. TB represents 
the magnitude floored to the target type. Its bit width is equivalent to the bit 
width of MB of the smaller type. PB represents the offset from the floored value. 
If PB is 0, the value is truncated to the exact value without loss of precision. 
Otherwise, the value must be rounded, and the direction is determined by a UF 


2 We describe its formal proof in our online supplementary material [5]. 
3 We chose this policy because respecting the bits invalidates several transformations 
in LLVM and the behavior of processors canonicalizing NaN values [33]. 
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returning boolean. Extension is done by copying MB to TB and filling LB and 
PB with 04. 


4.2 Encoding Tensors 


In SMT, a tensor is represented as an array expression from the address space- 
sized bit-vector to the element type. A multidimensional tensor is encoded as a 
one-dimensional array in row-major order. The dimension sizes of dynamically 
shaped tensor arguments are encoded as bit-vector variables. The number of 
elements of a tensor cannot exceed the size of the address space. 

For each tensor argument in MLIR function, a new SMT array variable is 
assigned because its value can be fully arbitrary. The results of tensor operations 
are encoded as lambda expressions in SMT which is described in Sect. 5.1. 


Uninitialized Tensors. A tensor may contain uninitialized elements. In SMT, 
a tensor carries another boolean array that indicates uninitialized elements. 

We define accessing uninitialized elements as an undefined behavior (UB) for 
the following reason. During bufferization, linalg.init_tensor operation that 
returns an uninitialized tensor is lowered into memref.alloc. The memref .alloc 
operation is then converted into a malloc call in LLVM IR, reading uninitialized 
bytes of which and using them may raise UB. 

Tensor arguments in MLIR are assumed to be fully initialized. linalg’s 
init_tensor is the only operation that creates an uninitialized tensor. Opera- 
tions like tensor.insert can create a partially initialized tensor. 


4.3 Calculating the Bit Width 


The bit width of the abstract representation of FP numbers is decided by the 
number of float registers and constants. Since all FP registers can store distinct 
FP numbers, the number of different FP numbers that may appear during the 
source and target program execution is bounded by the number of FP registers 
and distinct constants. 

However, an operation that does not return an FP number can inter- 
nally observe an unseen number. For example, suppose is_int (x) that returns 
true if float x is an integral value. Given an UF floorsyr(z) that returns an 
abstract float with its decimal truncated, this operation can be encoded as 
‘x == floorgsyr(2)’, which hides an unseen number in floorgyr(z). 

Therefore, we count the number of UFs applied to abstract FP numbers 
while encoding the source and target instructions. The size of the BV field is 
[loga N] where N is the number of applied UFs added by the number of FP 
arguments as well as distinct constants of the source and target functions. From 
the above example, is_int(x) must increment N even if it returns boolean 
because floorgyr(x) can return an unseen FP value. 


4 We describe the full encoding of constants of different types and other details in 
our online supplementary material [5]. 
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func @f(%x, Ay: tensor<8xf32>) { func @f(%x, Ay: tensor<8xf32>, func @f(...) -> £32 { 
%z_src = tosa.add %x, hy wi: index) -> £32 { Mei, Kyi = Yx(hil, Yy4al 
return %z_src %z_src = tosa.add %x, hy %z_src_i = addf %x_i, Zy_i 
} “4z_srce_i = %z_src([%i] return %z_src_i 
return 4z_src_i } 
} 
func @f(%x, hy: tensor<8xf32>) { func @f(%x, hy: tensor<8xf32>, func @f(...) -> £32 { 
%z_tgt = tosa.add hy, %x wi: index) -> £32 { %x_i, hy_i = %x(hil, ty Chil 
return %4z_tgt %z_tgt = tosa.add hy, %x %z_tgt_i = addf %y_i, %x_i 
} %z_tgt_i = %z_tgt[%i] return %z_tgt 
return %z_tgt } 
} 
(a) (b) (c) 


Fig. 2. Reducing elementwise tensor operations into scalar operations. 


Considering Tensors and Memory. In general, a tensor with M elements 
must increase N by M because it can have M different floats. To reduce the 
bound, we again rely on the fact that finding only one counter-example is enough. 
If that counter-example is a tensor, one mismatched element is sufficient. 

If all tensor operations in functions are elementwise, we can simply ignore 
tensors’ dimensions and count them as FP numbers when evaluating N. Consider 
the example in Fig. 2(a). To validate that transforming the upper f to the lower 
f is correct, we must check whether %4z_src[i] and %z_tgt[i] are equal for 
any i. Therefore, we can rewrite the functions into the form in Fig. 2(b) without 
affecting the correctness of the transformation. Note that the return types of 
two functions are changed from tensor to float. Since tosa.add is an instruction 
that performs addf elementwisely, choosing i from tosa.add only requires i’th 
elements from its input tensors. Therefore, the functions can again be rewritten 
as in Fig. 2(c). Since only the i’th elements of tensors 4x and %y are used, the 
functions can again be rewritten to take %x_i and %y_i as function arguments 
instead, which is not depicted in the figure. Therefore, validating the initial pair 
is equivalent to validating two functions taking and adding two FP numbers. 

Given a memref value, one can only access in-bounds locations. Thus, its size 
is added into N. If all tensor operations are elementwise, it is counted as one. 


5 Supporting Tensor Operations and Loops 


In this section, we introduce the SMT encoding of tensor operations and loops. 


5.1 Encoding Tensor Operations 


The result of a tensor operation is encoded as a lambda expression in SMT. 
For example, a negation of tensor t is encoded as ‘lambda i, negate(select(t, 7))’ 
where 7 is a 32 bit-vector variable, ‘select(t, i)’ selects the i-th element from the 
SMT array of t, and ‘negate(bv)’ is an alias for an SMT expression extracting 
the sign bit of bv and concatenating its negation with its BV bits. Note that it 
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does not check whether 7 is within the bound of the tensor. It is because the 
values at out-of-bounds indices cannot affect the program’s behavior. 

For operations returning a multidimensional tensor, the lambda chooses and 
returns the element in row-major order. For example, transpose of t whose size 
is N x N is encoded as ‘lambda i, select(t,i%N x N+i/N)’. 


Encoding Reduction Operations. In general, reduction operations like sum- 
mation of an array cannot be precisely encoded in SMT-LIB 2. To support 
them, we abstractly encode the reduction operations using UFs. For example, 
we declare sum which is a UF taking an array and returning a float number. Since 
this is an over-approximation, the validation may fail. In this case, we perform 
abstraction refinement, which will be described in Sect. 6.3. 

The out-of-bounds elements of an array are wiped out before applying to 
UF because they must not affect the result. This is done by wrapping the input 
array with lambda and select. The select returns the value that do not affect the 
result of the reduction (e.g., —0.0 for a summation) if the index is out of bounds. 


Tensor Operations and Undefined Behavior. The documentation was not 
clear about the behavior of a program violating the assumptions that tensor 
operations expect at runtime. The violations include out-of-bounds access, size 
mismatch of the dynamic-shaped tensors, and reading an uninitialized element. 
If it is defined as having well-defined side effects such as calling exit, dead tensor 
operations cannot be freely removed and lowering to LLVM IR whose behavior 
may be undefined cannot be explained. Therefore, we define them as UB. 


5.2 Encoding Loops 


In MLIR, linalg loops are typically generated from high-level tensor opera- 
tions. Compared to loops in general programs, they are simple and syntactically 
provide rich information. The loop consists of instructions without side-effect 
(modulo UB), and linalg loops explicitly state input/output tensors’ index 
mappings as well as parallelizable induction variables. Therefore, we can con- 
struct the output tensor or buffer without synthesizing loop invariants. 


#id = affine_map<(d0, d1) -> (d0, d1)> 
#transposed = affine_map<(d0, di) -> (d1, d0)> 


// AC = fA + fB°T, XC’s shape = fout’s shape 
%C = linalg.generic {indexing_maps = [#id, #transposed, #id], 
iterator_types = ["parallel", "parallel"]} 
ins(%4A, %B : tensor<?x?xf32>) outs(fout : tensor<?x?xf32>) { 
“pbO(%a: £32, %b: £32, unused: £32): 
fc = arith.addf %a, %b: £32 
linalg.yield %c : £32 
} -> tensor<?x?xf32> 
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Consider the above loop that adds tensors %A and Asean Indexing maps (#id, 
#transposed, #id) are mappings from two induction variables (hence a doubly 
nested loop) to the indices of input (4A, ZB) and output (Zout) tensors. The loop 
body shows that the initial value of Zout is not used. Since iterations over each 
dimension have no dependency because they are parallel (iterator_types), we 
can conclude that Zout [i] [j] = “ALi [j] + ⁄4B[j] (il. 

In this section, we propose an encoding of loops in linalg using the lambda 
theory and a universal quantification. Encoding a loop in linalg starts with 
finding loop bounds. Loop bounds are determined by matching the ranges of the 
indexing maps with the tensor (buffer) sizes. Then, the loop body which yields 
the element of the resulting tensor is encoded. If the output type is tensor, the 
resulting tensor is encoded in lambda in row-major order. If the output type is 
buffer, the memory locations are accordingly updated. 

For the above example, the yielded result at each iteration is described 
as a lambda expression with two parameters: ‘lambda (do, di), add(%Aldo, d1], 
%B[d1, do)’. Then, the output tensor %C is encoded as a lambda with a single 
parameter i. It selects (i /N,i% N) from the first lambda where N is Zout’s 
width. 


Determining Loop Bounds. If the sizes of %A and %B are larger than that of 
out, should the linalg.generic raise UB or add parts of the inputs? 

To find its valid semantics, the first transformation to consider is linalg’s 
conversion from linalg.generic to a canonical for loop in another dialect. The 
conversion generates a for loop with the upper bounds of induction variables 
explicitly given. The conversion sequentially visits the indexing maps, and finds 
the first dimension that exactly matches. Exact matching means that the range 
of the indexing map must be identity, not e.g., d0 + 1. If such dimension cannot 
be found, the linalg. generic is considered syntactically invalid. 

The second transformation is the canonicalization of linalg.generic. If 
a linalg.generic loop iterates over the input tensors and simply returns 
the elements, its output is replaced with the input tensors regardless of the 
input/output tensors’ shapes. However, if we determine the loop bounds only 
by the shape of the first matched tensor, this transformation cannot be justified 
when input tensors have different sizes. 

Therefore, we encode the loop bounds of linalg.generic as follows. First, 
we find loop bounds according to the algorithm of the first transformation 
(generic to for). For the above example, the upper bounds of dO and d1 are 
the dimension’s sizes of 4A because the first indexing map is for ZA. Second, all 
input tensors’ shapes must match the determined loop bounds, otherwise UB. 
In the case of the above example, 4A, 4B and Zout’s shapes must be equal. 


Encoding Loops on Buffers. If inputs/outputs are buffers, tensors are loaded 
from the inputs, the loop is performed on the tensors, and the resulting tensor is 
stored into the output buffer. The input and output buffers of linalg. generic 
must be disjoint (Sect.6.2). If the output buffer’s layout map is identity, the 
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output memory block is updated using lambda. If not, a fresh SMT array for 
the updated block is created, and the equalities between old/new elements of 
the block and the output tensor are encoded using forall quantifications. 


Encoding Reduction Loops. Induction variables which have “parallel” 
in the iterator_types attribute must appear as the parameters of the SMT 
lambda expression. Other variables, however, must be accordingly encoded. To 
encode reduction loops, we syntactically match the operand of the last yield 
and use the corresponding UF for the reduction (Sect.5.1). This worked well in 
practice because the reduction loops in MLIR had common patterns. 


5.3 Supporting Arithmetic Properties of Reductions 


Floating-point addition and multiplication are not associative, but programmers 
sometimes want to boost performance at the expense of precision by allowing 
compiler optimizations that rely on the property. To encode the property, the def- 
inition of addition and multiplication must be different from IKEE-754 because 
using it causes inconsistency in the underlying logic. 

Then, what is the semantics of x + y+ z? One possible solution is that its 
evaluation nondeterministically yields either (a+y)+z or e+(y+z) [11]. However, 
encoding the semantics in SMT requires introducing quantified variables. 

Therefore, as described in Sect. 5.1, we start from abstractly encoding reduc- 
tion operations in UFs. For example, UF sum takes an array |x, y, z] and returns 
its summation. A question is how to encode their arithmetic properties like 
sum([sum([z, y]), z]) = sum((z,sum([y, z])]). We introduce a new technique that 
works when the length of the input array is constant. This technique is not 
specific to a summation but can be applied to any reduction. 


Encoding Commutativity. The first arithmetic property to consider is com- 
mutativity: ‘sum([...,7,...,y,.--]) = sum([...,y,...,0,...])’. 

A straightforward solution is to use the multiset theory. Two sums are consid- 
ered equal if the multisets converted from input arrays are equal. For the solvers 
that do not support the multiset theory, a multiset can be simulated using an 
array taking an element and returning its count. However, this multiset-based 
approach does not scale well (Sect. 7.3). We conjecture that existing algorithms in 
the solvers are not good at checking the equality of two multisets (cvc5)/counter 
arrays (Z3). 

We suggest a hash-based approach for encoding the multiset equality. Our 
approach begins with defining a hash function F on an array. If two arrays are 
equal, their hash values must be equal. The inverse holds when the range of F 
is sufficiently large. It only uses the theory of UF and BV, which are cheap. 

To define F, we define another hash function f on floating-point numbers. 
F(A) is defined as a summation of hash values of its elements >)... 4 f(x). By the 
arithmetic property of bit-vector addition, F(A) = F(A’) if A’ is a permutation 
of A. The inverse direction also holds. We prove that if F(A) = F(A’) for any 
f, A’ is a permutation of A. 
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Theorem 1. Given A and A’ that are arrays of type T, if Vf. X „eaf (£) = 
Xea f(x) where f € T— BV([logy mazx(|A],|A’|)]), A’ is a permutation of A. 


Proof. Let’s assume that count(S, x) is the number of x in multiset S. For exam- 
ple, count({1, 1,3}, 1) is 2. We first prove the following lemma. 


Lemma 1. Given two multisets S and S', S = S’ holds if 


Yg, (z count(S,a) x a) = (x count($", x) x a) 


res rE S! 
where g € T > BV (flog, max(|S|,|S’|)]). 


Proof. Assume that g(x) is a function that returns 1 if x = k and 0 otherwise. 
By picking each element of S as k and g = gz, S = S” holds. 


Assume that S is a multiset from array A and S’ from A’. 
From the assumption Vf. ic, f£) = Posea f(x), we can derive 
Yg, (Screg count(S,x) x g(z)) = (peg count(S’,x) x g(x)). Then, we can 
apply the lemma. By the conclusion of the lemma, the two multisets are equal, 
hence A is a permutation of A’. 


For each pair of two sum function calls appearing in the source and target, 
their equality is encoded as a constraint. Since P Q iff =Q iP, the 
universal quantification in the Theorem1 can be converted into an existential 
form ‘sum(A) # sum(A’) => Sf. Mica f(t) # Xreas f(x)’. Since 3f can be 


moved out, the precondition is quantifier-free. 


Encoding Flattening of a Nested Reduction. By expanding the hash func- 
tion based approach, we can encode the equality between nested reductions. 
Consider this equality: ‘sum([sum(A), sum(B)]) = sum(A + BY. 

Since the array [sum( A), sum(B)] is not a permutation of A + B, the previous 
encoding does guarantee that the two summations are equivalent. To support 
this case, given a hash function F and summation sum(A), we add a precondition 
F(sum(A)) = >0.¢4 F(x). That is, the hash value of sum(A) is equivalent to the 
summation of hash values of x € A. 

Note that the hash function is individually defined per a pair of summations 
in the programs. This causes additional preconditions for each hash pair to relate 
inner and outer summation. We reduce the number of preconditions by unifying 


hash functions into one?. 


6 Encoding Memory and Refinement 


MLIR has several dialects providing memory operations, such as memref, affine, 
and bufferization. We propose a memory model for these dialects. Also, we 
illustrate our SMT encoding for the model. 


5 Due to the limited space, we prove that the unified hash function’s range must not 
be smaller than (0, p?n) where p is the number of summation pairs and n is the 
maximum size of an array in our online supplementary material [5]. 
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6.1 Memory Model 


Memory Block. A memory is made up of smaller memory blocks in our mem- 
ory model. A memory block is a unit of a memory allocation, and is either created 
by memref.alloc, memref.alloca, clone-like operations of bufferization, or 
defining a global variable. memref.alloca allocates a block at stack whereas 
memref.alloc has no such constraint. memref .dealloc frees the block. 

A memory block is uniquely identified with a block id. Its properties con- 
sist of the number of elements, block type, writability, liveness, and the list of 
elements with the list of booleans indicating whether each element is initial- 
ized. The block type is a boolean value which shows whether it is created by 
memref.alloc. Allocating instruction creates a new memory block which is ini- 
tially alive, writable, and fully uninitialized. The clone-like operation marks the 
source block with permanent read-only. The behavior of accessing a dead block 
is undefined, and also accessing an uninitialized element is undefined behavior. 
This decision is described in Sect. 4.2 as well. 


Memory Reference. The memref type is a reference to a specific memory area. 
It consists of the pointing block’s id, block offset, layout map, dimension sizes of 
the pointing area, and a flag indicating whether it is a view reference. A block 
offset may be non-zero because memref allows creating an aliased reference via 
memref .view, which may not point to the head of the block. memref may point 
to an out-of-bounds area of the block, and accessing that area is UB. 

Loading a tensor from memref is well-defined if (1) the referenced area is 
within the bounds of the memory block, (2) the block is alive (i.e. not deallocated 
yet), and (3) the visited offsets are fully initialized. Writing a tensor is well- 
defined if the area is in-bounds and the block is alive and writable. 


6.2 Encoding the Memory Model 


The properties of memory blocks are encoded as SMT variables size, 
writable, liveness, block_type, elements, initialized. By default, all 
properties are defined as SMT variables because we cannot make any assumption 
on how and when a block is created in general. If the block’s definition is visible 
(e.g., it is a global variable), they are initialized with literals in SMT. elements 
and initialized are encoded as SMT arrays from the offset to the value and 
boolean. 

The number of blocks necessary to validate the transformation is determined 
via static analysis, which is described in [30]. The number is bounded because 
we do not support loops containing allocating operations. This works in practice 
because allocations are usually located outside of the loops. After the analy- 
sis, each block and property declares one SMT variable. The blocks for global 
variables and allocating operations are assigned constant block ids. 
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Local and Non-local Blocks. We adopt the notion of local and non-local 
blocks from [30]. Local blocks are created by the allocating instructions that 
belong to the validated function, whereas non-local blocks are not. Only the 
non-local blocks are checked at the refinement of final states. We do not consider 
escaped local blocks because (1) memref cannot have memref as its element type, 
and (2) we do not support call instructions. 


Encoding Memory Access. The SMT encodings of memory load/store oper- 
ations follow the encodings described in [30]. The result of loading a value from 
memref %m is encoded as ite(%m.bid = 0, arro|4Am.ofs], ite(%m.bid = 1,...)) where 
arro has the elements of memory block 0. Storing a value to memref updates the 
elements of possibly aliased blocks with ites. 

Encoding disjointnesses of two memref accesses — which is required by sev- 
eral buffer operations — is hard in general because a memref can point to non- 
contiguous locations in arbitrary patterns. Therefore, we support encoding a 
disjointness of memrefs with trivial, row-major layout maps only, raising an 
error otherwise. 


6.3 Compiler Correctness and Abstraction Refinement 


Finally, we compare the final states of the source and target functions. A final 
state is defined as (ub,m,v) where ub is UB, m is the memory, and v is the 
return value. A final state refines another, or (ub,m,v) 3 (ub’,m’,v’), if (1) ub 
is true, or (2) ub = ub’ Av =v’? A m refines m’. A memory m refines m’ if for 
non-local blocks (b, 6’) with same id in the source and target, if (1) reading b at 
offset o is successful, so does the access to o at b’, and (2) if b is writable, so does 
b’. For any input state J consisting of an initial memory and argument values, 
ferc(Z) 3 ftet(Z) must hold where f(T) denotes the final state of function f. In 
SMT, the formula is inverted to remove the outermost quantification. 


Abstraction Refinement. To make validations cheap on average, we pro- 
gressively refine the abstraction scheme that describes the abstraction level of 
encodings. Abstraction refinement happens when a validation fails or timeouts. 

In the first round, the integer and FP dot operations are encoded using 
independent UFs which are not related to a summation. Also, FP numbers of 
different types are independently encoded and casts are defined as full UFs. If 
validation fails, the dot operations are encoded as a composition of a summation 
and multiplications, and the encoding for casts described in Sect. 4.1 is used. If 
this also fails, summations of arrays having small constant numbers of elements 
are unrolled into a sequence of additions and validated again. This validates, for 
example, folding sum([1.0,2.0]) into 1.0 + 2.0. 


6 For floats, NaNs of different signs are considered equivalent. For memrefs, we do 
not support references to local blocks because it needs universal quantifications [30]. 
Validating functions returning such values may result in false alarms. 
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Our abstraction cannot validate the constant folding optimization in general. 
To address this, mlir-tv provides a command-line option for using IEEE-754. 
It disables the unsafe properties on reductions because they are not compatible. 


7 Implementation and Evaluation 


mlir-tv consists of 8,900 lines of C++ codes. It supports 25 tosa ops, 11 memref 
ops, 13 linalg ops, 10 tensor ops, 29 arith ops, 3 bufferization ops, and 8 
other ops. mlir-tv uses Z3 4.8.13 and cvc5 0.0.3 as a solver, with 30s timeout. 
The experiments in this section are performed using Z3 because Z3 showed better 
performance than cvc5 in mlir-tv’s sanity tests. We used the Apple M1 CPU 
and 16GB RAM with a fixed version of MLIR (b5a0f0f, 26/Dec). 

We wrote 57 function pairs to check that it validates correct transformations 
and finds counterexamples for wrong pairs. From these tests, we observed that 
using the abstract encoding was 13.6x faster on average than the concrete IEEE- 
754 encoding. Shrinking the bit width of abstract FP (Sect. 4.3) was important 
because it brought 2.2x speedup compared to simply using 32 bits. 


7.1 Validating MLIR Unit Tests 


We validated the unit tests in the official MLIR project using mlir-tv. The unit 
tests (1) apply specific transformations to small, pre-defined MLIR programs, 
and (2) check whether the output programs syntactically match the test patterns. 
Using mlir-tv, we validated that the outputs of the transformations preserved 
the semantics of the inputs as well. We bounded the size of dynamic-shaped 
tensors to 100 to avoid timeouts. Bugs in tests with such tensors may have been 
missed. 

Among the MLIR’s unit tests, which consist of 2,467 function pairs in total, 
mlir-tv validated 433 tests, raised timeout for 8 tests, and failed for 8 tests. 
Validating the tests did not require encoding the unsafe arithmetic properties for 
reductions, but we are aware of uncovered transformations that require them. 

We could find several issues in the semantics of MLIR dialects. 


Signed Zero, NaN and —oo. The tosa. conv2d and tosa.depthwise_conv2d 
operations are lowered to linalg.pad_tensor with the input tensors padded 
with +0.0. Also, we found that MLIR was folding x+(+0.0) into x. However, this 
is incorrect since (1) z+ (+0.0) Æ x if x = —0.0 and (2) the tosa specification [6] 
states that an FP type must support signed zero. This problem was also found 
from tosa.fully_connected and tosa.reduce_sum operations whose lowered 
loops fill the initial tensors with +0.0. We reported these issues to the LLVM 
community. After the report, x + (+0.0) — x folding has been fixed [1]. We also 
found that lowering tosa.clamp and tosa.max_pool2d does not preserve their 
outputs if the inputs contain a NaN and —oo value. 
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Performance Comparison 


T/O Name Transformation 
10000 
1000 sum-RV Xrev(X) > XX 
sum-TP UXT > UX 
sum-CC (YX, 3X2) > Y(X + X2) 
dot-RV | rev(X1) - rev(X2) > Xı -X2 


sum-RV sum-TP sum-CC dot-RV dot-CC 
(100) (200) (10) (200) (300) dot-CC Xı -X2 + X3 X4 > 
ma Z3 (hash) mm cvc5 (hash) (Xı +H X3) (X2 H X4) 


mE Z3 (multiset) EE cvc5 (multiset) 


Elapsed Time (ms) 
H 
H Q 
oo 


o 


Fig. 3. (a) A graph showing the effectiveness of our encoding of unsafe arithmetic 
properties of reduction operations. The numbers below the labels indicate the sizes of 
input tensors. The Y-axis shows the running time of mlir-tv. Timeout is 30,000 ms. 
(b) Descriptions of the test cases. X is a 1D or 2D tensor, X is a summation, rev is a 
reverse, - is a dot product, and ++ is a concatenation. 


memref Operations and Read-Only Blocks. We couldn’t find a good seman- 
tics for linalg.fill with a memref reference to a read-only memory block given 
as its operand. If linalg.fill with a read-only memref raises UB, it cannot 
explain the linalg-bufferize transformation because it creates linalg.fill 
with its memref operand pointing to a read-only block. If it is well-defined, it 
cannot explain the linalg-generalize-named-ops transformation because this 
converts linalg.fill into a loop storing a value to the pointer. 

We found that buffer-deallocation transformation was introducing UB. It 
inserts memref .dealloc to free the unused result of memref . clone. But, mutat- 
ing the result of clone is UB according to the specification. 

Also, it was not clearly stated in the document when memref.clone makes 
the referenced location read-only. We discussed this issue in the online LLVM 
Discussion Forums, and the document was fixed to clearly state that it is imme- 
diately after the operation that the block becomes read-only [2]. 


7.2 Validating Compilation of Deep Learning Models 


We compiled the TF Lite models of text_classification_v2, SqueezeNet [25] 
and MobileNet [24], taken from the official TensorFlow website [7,8], by 
running them through tosa-to-linalg, tosa-to-standard, canonicalize, 
fuse-elementwise-ops, tensor-constant-bufferize, linalg-bufferize, 
tensor-bufferize transformations. To address validation failures of tosa- 
to-linalg due to the problem in tosa’s +0.0 handling, we tweaked mlir-tv so 
that it recognizes +0.0 used by certain operations as —0.0 instead. 

To validate them in a reasonable time, we split the source and target pro- 
grams into smaller functions. Since the networks did not have complex control 
flows other than loops, splitting was not very hard. The split functions contain 
an average 9.5 to 11.6 instructions. All transformations were validated correctly 
in text_classification_v2, but the last two transformations were failed in the 
other models since they have unsupported operations. 
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7.3 Performance Evaluation of Hash-Based Encoding 


We compared the performance of our dot-RV 
hash-based encoding to the multiset- i A ais 
based encoding. In the latter encoding, 
two reductions are assumed to be equal 
if the multisets converted from the input 
arrays are equal. For cvc5, we used its 
native multiset theory. For Z3, we simu- 
lated multisets by defining an array that 
counts the numbers of elements. We set 
QF_AUFBV logic to Z3 by default and used Fig. 4. Running times of dot-RV by ten- 
ALL logic only when the solver failed. sor size. Timeout is 30,000 ms. 

For cvc5, we used HO_AUFBV and HO_ALL 

logic respectively. We ran tests 10 times and calculated their average execution 
times. The timeout was set to 30s. 

Our hash-based encoding was faster than multiset-based encoding in overall 
cases (Figs. 3 and 4). cvc5’s multiset theory performed better than the Z3’s array 
encoding, but was still slower than the hash-based encoding. The hash-based 
encoding showed consistent running time regardless of tensor size. 
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8 Related Work 


Verifying Programs with Floating-Points. Strategies for verifying pro- 
grams using FP arithmetic (FPA) vary with their goals and background the- 
ories. Several works using abstract interpretation [29], SMT solvers [23,40] or 
computer algebra systems [31] target checking round-off errors of FP operations 
automatically. Axiomatizing and verifying FPA in theorem provers [12] enable 
us to make analysis sound and complete, but they require significant efforts. 

To realize bit-precise FP reasoning in SMT, one can use a bit-vector rep- 
resentation of FP numbers (bit-blasting). Since bit-blasting can generate large 
and complex formulae, researchers have tried to find better FP abstraction. [15] 
presents an abstraction technique using either large or reduced precision of FPA. 
UppSAT [44] proposes an abstraction framework including fixed-point and real 
arithmetic. SymFPU [13] gives an effective yet correct bit-vector encoding of 
FPA considering various types and special cases of IEEE 754. 


Verifying Programs Using Arrays. Several works have proposed their 
approaches to embedding the theory of arrays [34] into SMT solvers. [21,35] 
consider array read and write terms as uninterpreted functions, and regard the 
theory of array as axioms. FreqHorn [20] and SPACER [26] utilize constrained 
Horn clauses (CHC) engines. [27] analyzes array programs with broader theories 
by translating the axioms of the theory of array into the CHC format. 

Yet another approach uses mathematical induction-based techniques to rea- 
son about array-manipulating programs with loops. [16] verify the validity of 
a given parameterized Hoare triple where the length of array N is used as a 
parameter of the pre- and post-condition. 
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Machine Learning Compilers. Optimizing deep learning specific workloads 
has been a major working field for both hardware vendors [3,4] and software 
developers. [9,19] These frameworks translate neural-net representations in sev- 
eral frameworks into high-level computation graphs. Then, they optimize the 
graphs via well-known optimizations such as operator fusion or data layout trans- 
formation. Recent works allow optimization of dynamic workloads [38,45] and 
supports optimizations for heterogeneous systems [43]. 

[39] surveyed the bugs in DL compilers. They reported that the high-level 
IR transformations are the most buggy ones and stated that finding wrong code 
generation is challenging and should receive more attention. 


Compiler Verification. [11] relaxes FPA semantics since a compiler can ignore 
strict [IEEE-754 behavior like fast-math optimizations in LLVM. They propose 
Icing which is a language allowing IEEE 754-unsafe FPA optimizations, and 
CakeML [28] which is a verified compiler with the optimizations. [32] proposes a 
verified tensor optimizer whose optimizations can be explored via Coq’s tactics. 

As for translation validation (TV), [18] proposes a practical TV framework for 
Halide which is a language for processing arrays. To support fast-math optimiza- 
tions, it mainly uses Z3’s type for real numbers. For general-purpose compilers, 
many different tools have been developed [36]. Alive2 [33], LLVM-MD [42] and 
Peggy [41] validate the transformations in LLVM using various techniques. The 
SMT memory model for Alive2 [30] uses a technique that is similar to our app- 
roach in order to bound the number of memory blocks. Some TV tools [17,22] 
split the original programs and validate the smaller pairs. 


9 Conclusion 


We propose mlir-tv, an SMT-based translation validation framework for MLIR. 
It abstractly encodes the FP arithmetic and reduction operations in SMT. Since 
the abstraction is an over-approximation, mlir-tv does not miss bugs unless a 
flag for bounding the size of dynamically shaped tensors is given. If validation 
fails, mlir-tv tries again with refined abstractions. We also propose a hash-based 
approach for encoding arithmetic properties of reductions, which outperformed a 
multiset-based one. mlir-tv found several mismatches between the specification 
and implementation of MLIR from the unit tests. Finally, mlir-tv validated 
high-level transformations for three pretrained DL models. 
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Abstract. Due to the beyond-classical capability of quantum comput- 
ing, quantum machine learning is applied independently or embedded in 
classical models for decision making, especially in the field of finance. 
Fairness and other ethical issues are often one of the main concerns in 
decision making. In this work, we define a formal framework for the 
fairness verification and analysis of quantum machine learning decision 
models, where we adopt one of the most popular notions of fairness in 
the literature based on the intuition—any two similar individuals must 
be treated similarly and are thus unbiased. We show that quantum noise 
can improve fairness and develop an algorithm to check whether a (noisy) 
quantum machine learning model is fair. In particular, this algorithm can 
find bias kernels of quantum data (encoding individuals) during check- 
ing. These bias kernels generate infinitely many bias pairs for investi- 
gating the unfairness of the model. Our algorithm is designed based on 
a highly efficient data structure—Tensor Networks—and implemented 
on Google’s TensorFlow Quantum. The utility and effectiveness of our 
algorithm are confirmed by the experimental results, including income 
prediction and credit scoring on real-world data, for a class of random 
(noisy) quantum decision models with 27 qubits (2?’-dimensional state 
space) tripling (2'8 times more than) that of the state-of-the-art algo- 
rithms for verifying quantum machine learning models. 


Keywords: Quantum Machine Learning - Fairness Verification - 
Quantum Noise - Quantum Decision Model 


1 Introduction 


Quantum Machine Learning: Google’s quantum supremacy (or advantage) 
experiment demonstrated that a quantum computer Sycamore with 53 noisy 
superconducting qubits can do a specific calculation, namely sampling, in 200s 
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that would take (arguably) 10,000 years on the largest classical computer using 
existing Algorithms [1]. More recently, a quantum computer Jiuzhang with 76 
noisy photonic qubits was used to perform a type of Boson sampling in 20s that 
would require 600 million years for a classical computer [2]. These experiments 
mark the beginning of the Noisy Intermediate-Scale Quantum (NISQ) computing 
era, where quantum computers with tens-to-hundreds of qubits become a reality, 
but quantum noise still cannot be avoided. 

Quantum machine learning is believed to be a far frontrunner in setting a 
path for practical beyond-classical applications of NISQ quantum devices. This 
stimulates the fast development of various quantum machine learning (see [3] 
for a review). Stepping into industries, Google recently built up a framework 
TensorFlow Quantum for the design and training of quantum machine learning 
within its well-known classical machine learning platform—TensorFlow [4]. 

Classical machine learning has led to automated decision models assuming a 
significant role in making real-world decisions, especially in finance [5]. Such (finan- 
cial) decision tasks are known to face the curse of dimensionality as there are too 
many features available to model customers/users. Principal component analysis 
(PCA) is one of the most popular methods for dimensionality reduction. It was 
recently shown that quantum PCA Algorithm [6] can run exponentially faster on 
a quantum processor. At the same time, the training process of quantum machine 
learning could be sped up exponentially (compared with classical training) by 
using quantum PCA to implement iterative gradient descent methods for network 
training [7]. It is worth noting that this quantum approach is generic in the sense 
that it can be applied to various types of neural networks, including shallow, convo- 
lutional, and recurrent networks, and thus can mitigate the high complexity issue 
of classical training. Because of these reasons, quantum machine learning has been 
introduced to be applied independently or embedded in classical decision-making 
models, e.g. fraud detection (in transaction monitoring) [8,9], credit assessments 
(risk scoring for customers) [10,11], and recommendation systems for content dis- 
semination [12] (see reviews [13,14] for more information). Similar to the classical 
counterparts, the quantum models are trained on individuals’ information, e.g. 
saving, employment, salary (encoded as quantum data). 


Fairness in Machine Learning: It is well-known that classical decision models 
are prone to discriminating against users/consumers on the basis of characteris- 
tics such as race and gender [15], and have even led to legal mandates of ensuring 
fairness. To develop fair models, various attempts have been made to precisely 
define and quantify fairness. They broadly fall into two categories: group and indi- 
vidual fairness. Group fairness aims to achieve through statistical parity the same 
outcomes across different protected groups (e.g. gender or race) [16,17], whereas 
individual fairness advocates treating similar individuals similarly (receiving the 
similar outcomes) [18] (see [19,20] for various definitions of fairness and discus- 
sions about their relationship). The computer science community has endeavoured 
to check and avoid bias in classical decision models in the sense of different types 
of fairness (e.g. [18,19,21]). In particular, several verifiers for formal analysis and 
fairness verification have been designed and implemented, including FairSquare 
[22], VeriFair [23] and Justicia [24]. 
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Inevitably, the same issue of fairness arises in the quantum models too. Fur- 
thermore, as quantum machine learning is principled by quantum mechanics, 
which is usually hard to explain to the end-users, it is even more important 
to verify fairness when a decision is made by a quantum machine learning algo- 
rithm. However, to the best of our knowledge, the verification problem of fairness 
in quantum algorithms has not yet been touched. 


Contributions of this Paper: In this work, we define a formal framework 
so that the fairness of quantum machine learning decision models can be ver- 
ified and analyzed in a principled way. Our design decision is as follows: we 
focus on individual fairness—treating similar individuals similarly [18]. The trace 
distance—one of the most widely used quantities in quantum information [25, 
Section 9.2]—is chosen as the metric for measuring the similarity of quantum 
data (individuals) in defining fairness. Our main technical contributions include: 


(1) Problem Reduction: We prove that for a given (noisy) quantum decision 
model, checking the fairness can be reduced to a variant of distinguishing quan- 
tum measurements (states), a fundamental problem in quantum information. 
We resolve this specific variant problem by finding the maximum difference 
between the eigenvalues of the matrices generated by quantum measurements. 
As a corollary, we show that quantum noise can improve fairness. 

(2) Algorithm: Based on (1), an algorithm is developed to exactly and effi- 
ciently check whether or not a quantum machine learning decision model is 
fair. A special strength of this algorithm is that it can identify bias kernels 
during the checking, and these kernels generate infinitely many bias pairs, 
that is, two similar quantum data that are not treated similarly. Then these 
bias pairs can be used to investigate the bias of the decision model. 

(3) Case Studies: The effectiveness of our algorithm is confirmed by experi- 
ments on quantum (noisy) decision models with 8 or 9 quantum bits (qubits) 
for income prediction and credit scoring on real-world data. In particular, 
its efficiency is shown by a class of random quantum decision models with 27 
qubits, which works on a 2?’-dimensional state space. The state-of-the-art 
verification algorithm [26] for quantum machine learning was only able to 
deal with (the robustness with) 9 qubits. Our experiments can be consid- 
ered a big step toward the demanded number (>50) of qubits in practical 
applications of the NISQ era. 


1.1 Related Works and Challenges 


To put our work in an appropriate context, let us further discuss some related 
works and the challenges we face in this paper. 


Classical Versus Quantum Models: In order to identify and mitigate the 
bias of classical machine learning decision models, an algorithm for maximizing 
utility with fairness guarantee was proposed [18]. Then the strategy of search- 
ing input data with linear and integral constraints is employed in a verifier for 
proving individual fairness of a given decision model [21]. The verifier is sound 
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but not complete in general. But in the case of linear models, it is exact (both 
sound and complete) if the worst-case exponential time is allowed. However, 
although quantum decision models are always linear, the above technique can- 
not be directly generalized from the classical case to the quantum case. The 
main obstacle here is that the corresponding constraints in the quantum models 
are nonlinear, and thus searching the data set in a linear domain is ineffective 
in the quantum case. In this paper, we surmount this obstacle by reducing the 
quantum fairness verification problem to determining the distinguishability of 
a quantum measurement, which is independent of input data. Then we resolve 
the latter by eigenvalue analysis with polynomial time in the dimension of input 
quantum data. As a result, our algorithm is exact (sound and complete) and 
efficient. 


Fairness Versus Robustness: As in the classical case, the individual fairness 
considered in this paper can be thought of as a kind of global robustness [21]. 
This will be formally discussed in Sect. 3. In the last few years, quite a few papers 
have been devoted to (adversarial) robustness verification of quantum machine 
learning (e.g. [26—28]), where a verifier is given a nominal input quantum datum 
and it checks robustness in a neighborhood of that particular input datum. 
However, the techniques developed in these works cannot be directly generalized 
to solve our problem of fairness verification, because we are required to check a 
global property. Instead, we transfer the impact of the evolution of the quantum 
machine learning model on input quantum data to quantum measurements. 


Efficiency: As the dimension of input data increases exponentially with the 
number of qubits, efficiency is always a key issue in the verification of quantum 
machine learning models. The state-of-the-art algorithms for robustness verifi- 
cation mentioned above can only cope with quantum machine learning models 
with 9 qubits!. In this paper, we boost the scale up to 27 qubits on a small 
server, which represents a big step toward the demand in practical applications 
of NISQ devices (>50 qubits). The speedup originates from not only the high effi- 
ciency of our algorithm but also the based data structure we adopted— Tensor 
Network [29]—which can exploit the locality and regularity of the underlying 
circuits of quantum decision models and thus further optimize the algorithm. 


2 Quantum Decision Models 


For convenience of the reader, in this section, we review the setup of quantum 
(machine learning) decision models in their most basic form. 


Classical Models: In the classical world, a classification decision model is a 
mapping fe : C — O, where C is a set of data to be classified, and O is a 
set of outcomes corresponding to the classes we are interested in; for example 


1 The experiments of [26] were performed on a personal computer and the size is at 
most 8 qubits. We have estimated and tested the same experiments on the server we 
used in this paper and only 9 qubits can be handled. 


412 J. Guan et al. 


O = {0,1} in the simplest non-trivial (binary) case. Such a model fe can be 
generalized to be a randomized mapping fr : C > D(O), where D(O) denotes 
the set of probability distributions over O. f, is known as a regression decision 
model to predict distributions and naturally describes a randomized classifica- 
tion procedure: to classify x € C, choose an outcome o € O according to the 
distribution f,.(a). For example, o is chosen as the outcome corresponding to the 
maximum probability of f(x). Therefore, the basic form of a classical decision 
model is a randomized mapping f = fr (f = fe when f is degenerated to be a 
deterministic mapping). 
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Fig. 1. Noisy Quantum (Machine Learning) Decision Model 


Quantum Models: Due to the statistical nature of quantum mechanics, a quan- 
tum decision model is inherently a randomized mapping A : D(H) — D(O). Here 
D(H) is the set of quantum states (data) and to be specific later. Inspired by 
the classical models, A is not predefined but initialized as Ag by a parameter- 
ized quantum circuit € (see Fig. 1) with a set of free parameters 0 = {0; Har 
Following the training strategy of classical machine learning, Ag is trained on a 
set of input quantum states (training dataset) by tuning 0 subject to some loss 
function £(6). 

In the following, we explain the noisy quantum decision model from the left 
side to the right one of Fig. 1. For the details of the training process, we refer to 
a comprehensive review paper [30]. 


Input State p : The input state of the model is a quantum mized state p, 
which is mathematically modelled by a positive semi-definite complex matrix, 
written as p > 0, with unit trace”. p admits a decomposition form®: p = >; prWr 


? p has unit trace if tr(p) = 1, where trace tr(p) of p is defined as the summation of 
diagonal elements of p. 

3 This kind of decomposition is generally infinitely many, and one instance is eigen- 
decomposition, i.e., px and |Y} are eigenvalues and eigenvectors of p, respectively. 
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where {px} is a probability distribution and each Yx is a rank-one positive semi- 
definite matrix, i.e., Yk = |Yk) (pkl. Here, |Yk) is a unit vector and (p| is 
the entry-wise conjugate transpose of Yp), i.e., Yk] = Yk)". Physically, Yp) 
represents a pure state, and p represents an ensemble {(pz,|Ux~))}%, often called 
a mixed state, meaning that p is at |x) with probability p. In particular, if 
p = w for some pure state |v), then the ensemble is deterministic; that is, it is 
degenerated to a singleton {(1,w)}. In general, the statistical feature of p may 
result from quantum noise, which is unavoidable in the current NISQ era, from 
the surrounding environment. 


Example 1 (Qubits - Quantum Bits). A pure state of a single qubit q is described 
by a 2-dimensional unit vector and in the Dirac notation it can be written as: 


w= (g) = alo) + Ahn) for 0) = (4) it) = (F) ana fal? + bP = 1, 


and ensembles {(4, |0)), (4, |+))} and {(%,|1)), (3, 1@))} of q are represented by 
the same 2-by-2 mixed state 


p= 3 (21) = hors aye = Enya Sov 


where |+) = J5(|0) + |1)) and |¢) = 7 (810) + |1)). 


For a system of multiple qubits q1, -.-, qn, the state space is a 2”-dimensional 
Hilbert (linear) space, denoted by H. As a result, pure and mixed states on H 
are 2”-dimensional unit vectors and 2” x 2” positive semi-definite matrices with 
unit trace, respectively. It is worth noting that the dimension 2” of the state 
space H of quantum states is exponentially increasing with the number n of 
qubits. Thus, describing a quantum system with a large number of qubits and 
verifying its properties on a classical computer is challenging. For our purpose 
of verifying fairness in quantum machine learning, we adopt a compact data 
structure— Tensor Networks—to mitigate this issue (see this in Sect. 6). 


Parameterized Quantum Circuit Eo: Several different types of parame- 
terized quantum circuits have been proposed; e.g. quantum neural networks 
(QNNs) [31] and quantum convolutional neural networks (QCNNs) [32]. Basi- 
cally, Eo consists of a sequence of quantum operations: € = €49,°-::0 
E1. For each input quantum state p, the output of the circuit is Eg(p) = 
Ea,04(--- €2,05(E1,9, (p))). In the current NISQ era, each component €;,9, is: 


— either a parameterized quantum gate Uj; 9, (the full boxes in Fig.1) with 
Ui olp) = Ui,0,0U} o, where U; 9, is a unitary matrix with parameters 6j, i.e., 
Uo, Ui o; = Vio; Ui 9, = T (the identity matrix), and Ül, is the entry-wise 
conjugate transpose of U; 9;; 

— or a quantum noise €; (the dashed boxes in Fig. 1). Mathematically, it can be 
described by a family of Kraus matrices {£;;} [25]: E:(o) = $2; Bij pE}, with 
2i E} Bi =I. Briefly, €; is represented as €; = { E;; }. 
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Note that in constructing a quantum machine learning model, only quantum 
gate Ui 9, is parameterized, and noises E; are not because they come from the 
outside environment. 

It should be pointed out that, in a practical model, as shown in Fig. 1, each 
quantum operation E = €; o; non-trivially applies on one or two qubits. For 
example, if E only works on the first qubit, then E = E1 Q id2 8... Q id, and 
E(p1@p2®..-@pn) = E1(p1)@p2®-..-.@pn, where p; is the mixed state applied on 
qubit q; and tensor product p1 ® pg ®...® pn is the joint state of multiple qubits 
qi; ---, qn- This locality feature will be exploited by Tensor Networks to optimize 
our verification algorithm for fairness in the Evaluation Section—Sect. 6. 


Example 2. Consider the 1-qubit noise model: €y(p) = (1 — p)p + pUpUt where 
0 < p < 1 is a probability and U is a unitary matrix. It includes the following 
typical noises depending on the choice of U: U = X for bit flip, U = Z for phase 
flip and U = Y = 1XZ for bit-phase flip [25, Section 8.3], where I, X,Y, Z are 
the Pauli matrices: 


01 0-1 10 10 
«= (to): = (0), Z= (05). 4= (01): 


where 2 denotes imaginary unit. The depolarizing noise combines the above three 
kinds of noise: Ep(p) = (1 — p)p + pf = (1 — )p + 8(XpX +Y pY + ZpZ). 


Measurement {M;}ico : At the end of parameterized quantum circuit Eg, 
we cannot directly read out the output Eọ(p). The only way allowed by quantum 
mechanics to extract classical information from Eọ(p) is through a quantum 
measurement, which is mathematically modeled by a set {M;i }ico of matrices 
with O being the set of possible outcomes and )),-6 M, al M; = I. This observing 
process is probabilistic: for the measurement on state Eg(p), an outcome i € O 
is obtained with probability p; = tr(M;Eo(p) M] )4. Therefore, the output of 
quantum machine learning model Ag upon an input pis a probability distribution 
Aolp) = {pi : pi = tr(M:£o(p)M})}, as depicted at the rightmost of Fig. 1. 

In this paper, we focus on the well-trained quantum machine learning models 
(i.e., 0 has been tuned), so we ignore the 0 in Eg and Ag. Now, we can formally 
specify quantum decision model A as follows: 


Definition 1. A quantum decision model A = (E,{Mi}ico) is a randomized 
mapping: 


A:D(H)>D(O) Alp) = {tr(MiE(p)M})}ico Yp € D(H), 


where E is a super-operator on Hilbert space H, and {M;}ico is a quantum 
measurement on H with O being the set of measurement outcomes (classical 
information) we are interested in. 


4 After measuring Eọ(p) with outcome i € O, the state E(p) will be collapsed 
(changed) to pi = Mj€o(p)M}/p;. As we can see, the post-measurement state p! 
is dependent on the measurement outcome 7. This special property is vitally differ- 
ent from the classical computation. 
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Like their classical counterparts, quantum decision models are usually clas- 
sified into two categories: regression and classification models. Regression mod- 
els generally predict a value/quantity, whereas classification models predict a 
label/class. More specifically, a regression model Ag uses the output of A 
directly as the predicted value of the regression variable p € D(H). That is 
Ar(p) = A(p) for all p € D(H). In the classical world, regression models have 
been successfully applied to many real-world applications, such as stock mar- 
ket prediction and object detection. Quantum regression models were recently 
used to predict molecular atomization energies [33] and the demonstration of 
IBM’s programming platform—Qiskit [34, Variational Quantum Regression]. On 
the other hand, classification model Ac further uses the measurement outcome 
probability distribution A(p) to sign a class label on the input state p. The most 
common way is as follows: 


Ac: D(H) +O  Ac(p) =argmaxA(p); Vo € D(H),i€ O, 


where A(p); denotes the i-th element of distribution A(p). Classical classification 
models have broad applications in our daily life, such as face recognition and 
medical image classification. Quantum classification models have been used to 
implement quantum phase recognition [32] and cluster excitation detection [4] 
from real-world physical problems, and fraud detection [8] in finance. 

As we saw above, although classical and quantum decision models f and A 
are both randomized mappings, the input data to them and their procedure of 
processing the data are fundamentally different. These differences make that the 
techniques for verifying classical models cannot be directly applied to quantum 
models and we have to develop new techniques for the latter. 


3 Defining Fairness 


As discussed in the Introduction, an important issue in classical machine learning 
is: how fair is the decision made by machines. The same issue exists for quantum 
machine learning. Intuitively, the fairness of quantum decision model A is to 
treat all input states equally, i.e., there is not a pair of two closed input states 
that has a large difference between their corresponding outcomes. Formally, 


Definition 2 (Bias Pair). Suppose we are given a quantum decision model 
A = (E,{Mi}ieo), two distance metrics D(-,-) and d(-,-) on D(H) and D(O), 
respectively, and two small enough threshold values 1 > ¢,6 > 0. Then (p,c) is 
said to be an (€,6)-bias pair if the following is true 


[D(p, 0) < €] A [d(A(p), A(o)) > 4]. (1) 


The first condition in (1) indicates that the distance between input states 
p and o is within £, and the second condition shows the difference between 
outcomes A(p) and A(c) is beyond 6. Sometimes, without any ambiguity, (p, c) 
is called a bias pair if € and 6 are preset. 
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Definition 3 (Fair Model). Let A = (E,{Mi}ieo) be a decision model. Then 
A is (€,6)-fair if there is no any (€,6)-bias pair. 


The intuition behind this notion of fairness is that small or non-significant 
perturbation of a sample p to ø (i.e. D(p,o) < £) must not be treated “differ- 
ently” by a fair model. The choice of input distance function D(-,-) identifies the 
perturbations to be considered non-significantly, while the choice of the output 
distance function d(-,-) limits the changes allowed to the perturbed outputs in 
the model. 


Fairness Implying Robustness: As the same in the classical situation [21], 
robustness of quantum machine learning is a special case of fairness defined 
above. Formally, robustness is defined on a specific state p: given a quantum 
model A = (€,{Mi}ieo), p is (€,6)-robust if for all o € D(H), D(p,c) < € 
implies d(A(p),A(o)) < 6. In contrast, fairness is established on all quantum 
states: A is (£, 6)-fair if and only if p is (€,6)-robust for all states p € D(H). So, 
fairness implies robustness and can be thought of as global robustness. 


Choice of Distances: The reader should have noticed that the above definition 
of fairness for quantum decision models is similar to that for classical decision 
models. But an intrinsic distinctness between them comes from the choice of 
distances D(-,-) and d(-,-). In the classical case, the distances define the sim- 
ilarity between individuals and their appropriate choices have been intensively 
discussed [18]. One of the most used distances is total variation distance, mea- 
suring the closeness of individuals encoded by probability distributions. In this 
paper, we use it as d(-,-) for measurement outcome distributions in Definition 1 
and choose D(-,-) to be the trace distance. Trace distance is essentially a gener- 
alization of total variation distance, and has been widely used by the quantum 
computation and quantum information community to define the closeness of 
quantum states [25, Section 9.2]. Formally, for two quantum states p,o € D(H), 


D(p,0) = 5tr(\p— ol); 


where |p — o| = A, + A_ if p-o = A, — A_ with tr(A,A_) = 0 and 
A+ being positive semi-definite matrix. On the other hand, for two probability 
distributions p = {pi}ico, q = {uihico over O, d(p,q) = $X; lpi — Gil. In 
particular, for the measurement outcome distributions, we have: 


a(A(p), A(o)) = 5 Solo ME(0 = 0) 


If p and o are both diagonal matrices, i.e., pọ = diag(p1,--- ,pjo)) and o = 
diag(q, R qol); then D(p,0) = d(p, q). 


4 Characterizing Fairness 


In this section, we give a characterization of fairness in terms of the Lipschitz 
constant and clarify its relationship with quantum noises. 
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4.1 Fairness and Lipschitz Constant 


The Lipschitz constant has been widely used in classical machine learning for 
applications ranging from robustness and fairness certification of classifiers to 
stability analysis of closed-loop systems with reinforcement learning controllers 
(e.g. [35, 36]). In this subsection, we show that there also exists a close connection 
between the Lipschitz constant and fairness in the quantum setting. Let us start 
from an observation: 


Lemma 1. Let A= (€,{Mi}ico) be a quantum decision model. Then 
UA(p), A(o)) < D(p, 0). (2) 
Proof. See Appendix A in [37] for the proof. 


The above lemma indicates that quantum decision model A is automatically 

(e, 0)-fair whenever £ = ô. Furthermore, we see that A is unconditionaly Lipschitz 

continuous: there exists a constant K > 0 (K < 1 by Lemma 1) such that for 
all p,o E€ D(H), 

d(A(p),-A(a)) < KD(p,0). (3) 


As usual, K is called a Lipschitz constant of A. Furthermore, the smallest 
K, denoted by K*, is called the (best) Lipschitz constant of A. 

In the context of quantum machine learning, the following theorem shows 
that K* actually measures the fairness of decision model A, i.e., the best (max- 
imum) ratio of ô and € in a fair model, and the states Y, o achieving K* can be 
used to find bias pairs in fairness verification. 


Theorem 1. 1. Given a quantum decision model A = (E,{Mi}ico) and 1 > 
E, >0, A is (e, ô)-fair if and only if 6 > K*e. 

2. If A is not (€,6)-fair, then (Y, p) achieving K* is a bias kernel; that is, for 
any quantum state o E€ D(H), (py, pọ) is a bias pair where 


py = EY + (1 — £)o pe = £$ + (1 — e)o. (4) 


Proof (Outline). The “if” direction of the first claim is derived by the definitions 
of (¢,6)-fairness and K* together with (3). The “only if” direction of the first 
claim and the second claim are both based on the existence of pure states |Y} and 
|p) achieving K*: d(A(~), A(¢)) = K* D(y, ¢). The detailed proof is presented 
in Appendix B in [37]. 


4.2 Fairness and Noises 


In this subsection, we turn to consider the relation between fairness and noise. 
Let us first examine a simple example. Assume a noiseless quantum decision 
model A = (U,{Mi}ieo) where U is a unitary operator, i.e., U = {U} for 
some unitary matrix U. The 1-qubit depolarizing noise in Example 2 can be 
generalized to a large-size system with the following form: 


E(o) = (1—p)p tex 


y Yes BUH), 
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where 0 < p < 1 and N is the dimension of the state space H of the system. 
By introducing it into A, we obtain a noisy model Ag = (E o U, {Mi}ico). Let 
K* and K% be the Lipschitz constants of A and Ag, respectively. A calculation 
(with the help of Theorem 3 below) yields: 


Kz = (1-p)K*. (5) 


Theorem 1 indicates that the less the Lipschitz constant is, the fairer the quan- 
tum machine learning model will be. So, depolarizing noise improves fairness by 
the order of (1 — p). By the way, it was shown in [38] that depolarizing noise 
can improve the robustness of quantum machine learning. This result can be 
strengthened by using (5) to quantitatively characterize the robustness improve- 
ment. 

The observation in the above example can actually be generalized to the 
following: 


Theorem 2. Let A= (U, {Mi}yico) be a quantum decision model. Then for any 
quantum noise represented by a super-operator E, we have Kg < K*, where K* 
and Kz are the Lipschitz constants of A and Ag = (E o U, {Mi h}ico). 


Proof (Outline). The proof of this theorem mainly depends on the observation 
that the range of Aeg is a subset of the range of A, i.e. {E€ oU(p) : p E€ D(H)} C 
{Uu (p) : p E€ D(H)} = D(H). Subsequently, by Definition 2 of fairness, the output 
distributions of Ag are contained in that of A. A restatement of this theorem 
in terms of quantum states (measurements) distinguishability and its full proof 
are presented in Appendix C in [37]. 


Remark 1. The above theorem indicates that adding noises at the end of noise- 
less computation can always improve fairness. Indeed, this is also true when the 
noises appear in the middle (after any gate in the circuit). 


5 Fairness Verification 


In this section, we develop an algorithm for the fairness verification of quantum 
decision models based on the theoretical results obtained in the last section. 
Formally, the major problem concerned in this paper is the following: 


Problem 1 (Fairness Verification Problem). Given a quantum decision model 
A and 1 > ¢,6 > 0, check whether or not A is (e, 6)-fair. If not then (at least) 
one bias pair (p, ø) is provided. 


5.1 Computing the Lipschitz Constant 


First of all, we note that essentially, Theorem 1 gives a verification condition 
for fairness in terms of the Lipschitz constant K*. Therefore, computing K* 
is crucial for fairness verification. However, this problem is much more difficult 
than that in the classical counterpart as discussed in Subsect. 1.1. The following 
theorem provides a method to compute the Lipschitz constant K* by evaluating 
the eigenvalues of certain matrices. 
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Theorem 3. 1. Given a quantum decision model A = (E,{Mi}ico). The Lip- 
schitz constant K* is 


* -_ . J TM i) 
K = max[Amax(Ma) Amin(Ma)] with Ma = D M! Mj) 


where Et is the conjugate map” of E, and \max(Ma) and Xmin(Ma) are the 
mazimum and minimum eigenvalues of positive semi-definite matrix Ma, 
respectively. 
2. Furthermore, let A* C O be an optimal solution of reaching the Lipschitz 
constant, i.e., 
A* = arg max|Amax (Ma) — Amin(Ma)] 


and |Y) and |) be two normalized eigenvectors corresponding to the maximum 
and minimum eigenvalues of M4», respectively. Then we have 


d(A(Y), A(d)) = K* DY, 6) = 


where y = |w)(w| and ¢ = |d)(d|. 


Proof (Outline). This theorem can be proved by reducing the problem of calcu- 
lating the Lipschitz constant to determining the distinguishability of a quantum 
measurement. Then we claim that the distinguishability is the maximum dif- 
ference between the eigenvalues of the matrices generated by the measurement. 
The details are quite involved, and we postpose them into Appendix C in [37]. 


Based on the above theorem, we are able to develop Algorithm 1 for com- 
puting the Lipschitz constant K*. The correctness and complexity are provided 
in the next subsection. 


5.2 Fairness Verification Algorithm 


Now we are ready to present our main algorithm—Algorithm 2—for verifying 
fairness of quantum decision models. 

To see the correctness of Algorithm 2, let us first note that the second part 
of Theorem 3 shows that K* can be achieved by d(A(w), A(@)) for two mutually 
orthogonal quantum (pure) states ù and ¢. On the other hand, the second part 
of Theorem 1 asserts that such states ~ and ¢ form a bias kernel. Moreover, 
since state o € D(H) in (4) is arbitrary and D(H) is an infinite set, infinitely 
many bias pairs can be generated from this kernel. 

To analyze the complexities of Algorithm 2 and its subroutine—Algorithm 1, 
we first see by Theorem 1 that for evaluating the (e, 6)-fairness of quantum deci- 
sion model A, the Lipschitz constant K* is sufficient and necessary. Thus the 
first step (Line 1) of Algorithm 2 is to call Algorithm 1 to compute K* by the 
mean of Theorem 3. The complexity of Algorithm 1 mainly attributes to com- 
puting W; = ier E! M}] M;E; for each i € O, and for each A C O, Xea Wi 


5 Ale) = ies EŻ pE; if € admits Kraus matrix form €(p) = } jeg E;pE}. 


420 J. Guan et al. 


Algorithm 1. Lipschitz(A) 


Input: A quantum decision model A = (€ = {E;}je7,{Mi}ico) on a Hilbert space 
H with dimension N. 

Output: The Lipschitz constant K* and (w,¢) as in Theorem 3. 

: for each i € O do 
Wi = €'(M] Mi) = È jeg ELM! ME; 

end for 

K* =0, A* =9@ be an empty set and Ma» = 0, zero matrix. 

: for each A C O do 

Ma = ica Wi and Ka = Amax(Ma) — Amin(Ma) 

if Ka > K* then 
K* = Ka, A* = A and Max = Ma 

end if 

: end for 

: |Y) and |¢) are obtained two normalized eigenvectors corresponding to the maxi- 

mum and minimum eigenvalues of M4», respectively. 
: return K* and (7, ¢) 


SOM DNS oom emer 


þak jad 
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Algorithm 2. FairVeriQ(A, €, 6) 
Input: A quantum decision model A = (€ = {Ej}j;e7,{Mi}ico) on a Hilbert space 
H with dimension N, and real numbers 1 > ¢,6 > 0. 
Output: true indicates A is (£, 6)-fair or false with a bias kernel pair (Y, ¢) indicates 
A is not (e, 6)-fair. 
(K*, (a, 6))=Lipschitz(A) // Call Algorithm 1 
if 6 > K*e then 
return true 
else 
return false and (4, ¢) 
end if 


and its maximum and minimum eigenvalues (and the corresponding eigenvectors 
for A = A* at the end). The former calculation needs O(N®) as the multipli- 
cation of N x N matrices needs O(N?) operations, and the number |,7| of the 
Kraus operators {Ej}je7 of E can be at most N? [39, Chapter 2.2]; the com- 
plexity of the latter one is O(2!°!|O|N?) since the number of subsets of O is 2!1, 
|A| < |O| for any A C O and computing maximum and minimum eigenvalues 
with corresponding eigenvectors of N x N matrix costs O(N). Therefore, the 
total complexity of Algorithm 1 is O(N® + 2!°||O|N?). After that, in Lines 2-6, 
we simply compare 6 and K*e to answer the fairness verification problem. So, 
Algorithm 2 shares the same complexity with Algorithm 1. 


Theorem 4. The worst case complexities of Algorithms 1 and 2 are both 
O(N® + 2!°!||O|N2), where N is the dimension of input Hilbert state space H 
and |O| is the number of the measurement outcome set O. 


Like their classical counterparts, quantum machine learning models usually 
downscale large-dimension input data to small-size outputs. This means that the 
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number |O| of the measurement outcome set O is far smaller than the dimension 
N of input Hilbert state space H. It is even a constant 2 in most real-world tasks 
for binary decisions/classifications, such as income prediction and credit scoring 
(see the examples in Sect. 6), and in this case, the complexities of Algorithms 1 
and 2 are both O(N). However, the dimension N is exponential in the number 
n of the input qubits, i.e., N = 2”. Thus the complexity turns out to be O(2°”). 
In verification of classical models, this state-space explosion problem [40] can be 
mitigated by using some custom-made data structures to capture the features of 
the underlying data, e.g. Binary Decision Diagrams (BDDs) [41]. In the quantum 
case, we cross this difficulty by employing a quantum data structure— Tensor 
Networks (TNs), originating from quantum many-body physics—to exploit the 
locality and regularity of the circuits representing quantum machine learning 
models. As a result, quantum models with up to n = 27 qubits can be handled 
by our verification algorithm. 


6 Evaluation 


In this section, we evaluate the efficiency of our verification algorithm (Algo- 
rithm 1) on noisy quantum decision models. The algorithm is implemented on 
TensorFlow Quantum |[4]—a platform of Google for designing and training quan- 
tum machine learning algorithms. Then we test it by verifying the fairness of 
two groups of examples: 


— Small-scale models trained from real-world data (Subsect. 6.1): There is still 
no public benchmarks for quantum decision models. We choose two pub- 
licly available financial datasets, German Credit Data [42] and Adult Income 
Dataset from Diverse Counterfactual Explanations Dataset [43] and train 
small-scale quantum models from them on TensorFlow Quantum. Then we 
evaluate the Lipschitz constant K* of the trained models by Algorithm 1. 

— Medium-scale models (Subsect. 6.2): Medium-scale models (10-30 qubits) are 
difficult to be trained on TensorFlow Quantum with a personal computer or 
a small server since the simulated quantum noises lead to large-size (up to 
230 x 23°) matrix manipulations. Thus we turn to using a model from the 
tutorial of TensorFlow Quantum as a seed to generate a group of medium- 
scale models. The efficiency of our algorithm is then demonstrated on these 
models with randomly sampled parameters. 


All source codes can be found at: https://github.com/Veri-Q/Fairness. All 
our experiments are carried out on a server with Intel Xeon Platinum 8153 @ 2.00 
GHz x 256 Processors, 2048 GB Memory and no dedicated GPU. The machine 
runs Centos 7.7.1908 and each experiment is run with at most 80 processors. 
We use the NumPy and Google TensorNetwork [44] Python packages to compute 
Lipschitz constants and bias kernels for small-scale models and medium-scale 
models, respectively. These two packages have their own advantages in different 
sizes. 


422 J. Guan et al. 


6.1 A Practical Application in Finance 


Adult Income Dataset. The original version of this dataset is extracted from 
the 1994 Census database by Barry Becker [45]. We use the modified version 
of the adult income dataset by DiCE [43]. Each individual in this modi- 
fied dataset has 8 features and the classification whether the income exceeds 
$50, 000/year or not. We randomly select 1,000 and 400 data from the training 
dataset and test dataset contained in this modified dataset, respectively. The 
task of the quantum decision model task is to predict whether an individual’s 
income exceeds $50, 000/year or not. 

German Credit Dataset. This dataset contains 1,000 loan applicants with 
20 features and the classification whether they are considered as having good 
credit risk or not (Creditability). It provides 500 applicants for the training 
and 500 applicants for the test. By using the p-value with creditability for 
each variable [46], we have 9 features (e.g., Account Balance, Payment Status) 
left as significant predictors. The task of the quantum model to be trained is 
to classify whether the person has good credit risk or not. 


These datasets contain some categorical features, which are transformed into 
different integer numbers for further operations. Then we have n € {8,9} num- 
bering features in total and use the following data-encoding feature map: 


n 


z = (21,22,...,0n) > |W(a)) = Q) X*|0) 


j=l 


for Pauli matrix X defined in Example 2 to encode an n-dimensional feature 
vector x (each dimension is normalized by its maximum value) to an n-qubits 


quantum state (a) = |w(a))((a)|. 


Models: For the quantum decision model, we choose the basic rotation and 
entangling building blocks [47] to construct parameterized quantum circuits (see 
Fig. 2). In the rotation block, without any ambiguity, we directly use X and 
Z to represent parameterized X-rotation ent Px and parameterized Z-rotation 
e-* 2 on one qubit, respectively. It is worth noting that the parameterized 
(Z-X-Z)-rotation induces universal gates on each qubit [25, Theorem 4.1], and 
thus the expressiveness of the models on one qubit is ensured. In the entangling 
block, XX stands for the parameterized (X @ X)-rotation e— 2 XOX on two 
qubits. The entangling block can create entanglement between each qubit. Here 
entanglement is a unique feature of quantum models to express the interactions 
of qubits. The model is constructed by alternately using these two blocks with 
a quantum measurement M at the end of the model. 

Since TensorFlow Quantum is inefficient in training noisy models, we only use 
3 rotation blocks and 2 entangling blocks in the training models. In addition, to 
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Fig. 2. Parameterized Quantum Circuits for Quantum Finance Decision Models. 


Table 1. Experimental results of Lipschitz constant K* of the trained models. 


Dataset Noise Accuracy K* Time 
type probability train test 
None 0.732 0.686 1.0000 x 10° N 
Phase flip 1074 0.726 0.692 9.9997 x 107! 2.36s 


107 0.724 0.714 9.9800 x 107} 2.02s 

107? 0.704 0.708 9.6918 x 107} 1.94s 

Depolarizing 1074 0.709 0.686 9.9977 x 107! 2.77s 
107 0.701 0.712 9.9789 x 107! 2.93s 

German Credit 107? 0.709 0.682 9.7916 x 107} 3.44s 
Bit flip 1074 0.712 0.728 9.9975 x 107! 2.27s 
107° 0.710 0.690 9.9743 x 107} 2.47s 

107? 0.724 0.678 9.7981 x 107! 2.05s 

Mixed noise 1074 0.710 0.704 9.9980 x 107} 2.15s 
107 0.731 0.682 9.9834 x 107! 2.08s 

107? 0.731 0.692 9.7021 x 107} 1.95s 


None 0.777 0.770 1.0000 x 10° \ 
Phase flip 1074 0.784 0.767 9.9992 x 107} 0.44s 
107 0.771 0.770 9.9805 x 107} 0.51s 
107? 0.773 0.767 9.8057 x 107} 0.48s 
Depolarizing 1074 0.774 0.767 9.9987 x 107! 0.57s 
107 0.781 0.767 9.9867 x 107} 0.58s 
Adult Income (DiCE) 107? 0.779 0.767 9.8667 x 107} 0.69s 
Bit flip 1074 0.780 0.767 9.9980 x 107} 0.57s 
107 0.777 0.767 9.9800 x 107} 0.49s 
107? 0.778 0.770 9.8117 x 107} 0.54s 
Mixed noise 1074 0.762 0.720 9.9987 x 107} 0.68s 
107 0.752 0.720 9.9812 x 107} 0.67s 
107? 0.759 0.720 9.7647 x 107} 0.67s 
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simulate noisy models, we put different quantum noises introduced in Example 2 
on each qubit, including bit flip, phase flip, depolarizing, and the mixtures of 
them, behind the first rotation block. Note that the number of qubits for the 
models is the same as the number of features of datasets due to the above 
choice of the data-encoding feature map. The final measurement M = {Mp = 
I ® |0)(0|, My = I @|1)(1]} is a local measurement performed on the last qubit. 
With the binary classification task, the loss function we choose is binary cross- 
entropy: -$ se cj - logé; + (1 — c;) log(1 — ¢;)), where N is the size of the 
batch fixed in the training process, cj is the true label and c; is the outcome 
of the measurement. All models are well trained and achieve around 70% train 
and test accuracy (see Column “Accuracy” in Table1), matching that of the 
previously used classical and quantum finance decision models (e.g. [10,21]). 


Evaluation Details and Results: The results of evaluating Algorithm 1 on 
the models trained from different datasets and different quantum noises are 
presented in Table 1. For different datasets, we train noise-free models to serve 
as the baseline for training and test accuracy (see Row “None”). Furthermore, 
different types of noise are added with different levels of probabilities. We list 
the Lipschitz constant K* and the running time of Algorithm 1 aided by NumPy 
for each column. It can be seen that the higher level of noise’s probability, the 
smaller value of constant K*. Therefore, the claim of quantum noise improving 
fairness in Sect. 4.2 is confirmed by the numerical results. This is also observed 
in Table 2 later. 


6.2 Scalability in the NISQ Era 


Models: To reflect an actual application in the NISQ era, we choose not to ran- 
domly generate a parameterized quantum circuit model. Instead, we expanded 
the existing example of Quantum Convolutional Neural Network (QCNN) [32] 
in the QCNN tutorial? of TensorFlow Quantum from 8 qubits (see Fig. 3) to 27 
qubits. In the experiment, we use the QCNN model with one convolution layer 
and one pooling layer. The noise is applied between convolution and pooling 
layers on each qubit. The final measurement is M = {Mp = I & |0)(0|, Mı = 
I ® |1)(1]} performed on the last qubit with a gate U appended before. Since 
training a noisy model of this size is currently intractable on TensorFlow Quan- 
tum, the parameters in the model are all randomly sampled. 


ê https: //tensorflow.google.cn/quantum /tutorials/qcnn. 


Verifying Fairness in Quantum Machine Learning 425 


o,f Gara 

a = P> 

: Cs 

: P3 : 

: Co 5 

: C r Pi i CEEEEEETTETEETTEET eae J 

: $ Pi = Ci- Ps : 

: [C3 a T Co ae 

: P> : — Pek praen 

: C7 a Ci tt í l 

IC P3 E mE Ps do 1 

: > it 1 

H4 8 Par E igs Perot AF 

E E, E E E T E Seaueesnuneed maana 

Convolution Pooling aa Fully M 
Connected 


Fig. 3. The QCNN model in the tutorial of TensorFlow Quantum. Each C; in the 
convolution layer is a parameterized 2-qubit gate to find a new state between adjacent 
qubits. Each P; in the pooling layer is also a parameterized 2-qubit gate with another 
form that attempts to extract the information of two qubits into a single qubit. 


Evaluation Details and Results: We choose the models with 25 and 27 
qubits to run experiments. Since the parameters are randomly sampled, for each 
noise with different levels of probability, we generate the model and evaluate 
the Lipschitz constant K* for 3 times. However, because a 27° x 2?° or 227 x 227 
complex matrix consumes a huge amount of memory, it is not feasible to directly 
use Algorithm 1 as the previous experiment, where we represent the Mz, in 
Algorithm 1 as a matrix and use the package NumPy to evaluate eigenvalue. 
We instead use a tensor network [48] to represent the M4 and the subroutine 
of evaluating eigenvalue in Algorithm 1 is implemented with the basic power 
method for eigenvalue problem [49] by using TensorNetwork package. Although 
there are some packages for sparse matrix in Python that can collaborate with 
TensorNetwork, their implementation for computing eigenvalues still consumes a 
huge amount of memory. The evaluation results on QCNN models with randomly 
sampled parameters and different quantum noises are listed in Table 2. These 
results prove that our fairness verification algorithm is efficient and can handle 
27-qubit quantum decision models on a small server. For further exploring the 
scalability of our verification algorithm, we also test on 29-qubit QCNN models; 
Please see Appendix D in [37] for the results. 

Last but not least, it is worth noting that in all experiments, we also obtain 
bias kernels by Algorithm 1 at the running time presented in Tables 1 and 2, 
but as they are large-size (up to 2?’-dimensional) vectors, we do not show them. 


426 


J. Guan et al. 


Table 2. Experimental results of Lipschitz constant K* of QCNN models. 


#Qubits Noise Evaluation I | Evaluation II | Evaluation III 
type probability K* Time K* Time | K* Time 

25 None 1.0000 $ 1.0000 \ 1.0000 \ 
Phase flip 1074 0.9998 2.15m |0.9997 1.92m | 0.9999 2.12m 
107° 0.9983 1.71m |0.9982 1.35m |0.9987 1.10m 
107? 0.9865 1.75h |0.9870 54.49m | 0.9831 39.07m 
Depolarizing 1074 0.9998 2.22m | 0.9998 1.59m |0.9998 2.38m 
10-3 0.9985 2.46m | 0.9980 1.62m | 0.9982 2.04m 
107? 0.9824 2.33m | 0.9802 2.53m | 0.9809 1.77m 
Bit flip 1074 0.9997 1.74m |0.9998 1.60m |0.9999 2.15m 
107° 0.9986 2.44m | 0.9980 1.80m |0.9991 2.37m 
107? 0.9943 1.78h | 0.9854 20.78m | 0.9919 49.36m 
Mixed noise 1074 0.9998 3.68m | 0.9998 1.34m |0.9998 1.94m 
10-3 0.9980 1.66m |0.9966 2.06m | 0.9983 0.96m 
107? 0.9901 37.24m | 0.9861 1.95h | 0.9759 6.03m 

27 None 1.0000 \ 1.0000 \ 1.0000 \ 

Phase flip 1074 0.9999 6.75m | 0.9998 7.34m | 0.9998 8.62m 
10-3 0.9980 6.66m |0.9977 9.55m | 0.9981 6.56m 
107? 0.9896 7.64m | 0.9839 54.12m | 0.9709 4.45m 
Depolarizing 1074 0.9998 6.10m | 0.9998 6.89m | 0.9998 6.77m 
107° 0.9981 4.51m | 0.9985 5.34m | 0.9978 21.75m 
107? 0.9809 1.20h | 0.9767 6.48m | 0.9773 8.48m 
Bit flip 1074 0.9998 6.52m |0.9999 5.39m | 0.9999 6.86m 
107° 0.9986 4.38m | 0.9984 7.96m | 0.9971 10.37m 
107? 0.9917 5.03h | 0.9894 4.15h | 0.9854 3.90h 
Mixed noise 1074 0.9998 6.67m | 0.9998 5.19m | 0.9997 10.39m 
107° 0.9976 7.06m | 0.9976 5.91m | 0.9986 6.62m 
107? 0.9806 7.70m |0.9850 7.98m | 0.9881 6.02h 


7 Conclusion 


In this work, we initiate the studies on algorithmic verification of fairness of 
quantum machine learning decision models. In particular, we showed that this 
verification problem can be reduced to computing the Lipschitz constant of the 
decision models, and then resolved the latter by introducing and estimating sin- 
gle measurement distinguishability. Based on these theoretical results, we devel- 
oped an algorithm that can verify the (£, ô)-fairness of quantum decision models 
and provides useful bias kernels for explaining the unfairness of the models. 
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An interesting topic for future research is how to improve the results pre- 


sented in this paper for training quantum decision models with fairness guaran- 
tee. On the other hand, further investigations are required to better understand 
the bias kernels detected by our verification algorithm, especially through more 
experiments on real-world applications. 
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Abstract. MoGyn, is an integrated toolbox enabling the training and 
verification of machine-learned decision-making agents based on formal 
models, for the purpose of sound use in the real world. Given a formal rep- 
resentation of a decision-making problem in the JANI format and a reach- 
avoid objective, MoGyYm (a) enables training a decision-making agent 
with respect to that objective directly on the model using reinforcement 
learning (RL) techniques, and (b) it supports rigorous assessment of the 
quality of the induced decision-making agent by means of deep statistical 
model checking (DSMC). MoGym implements the standard interface for 
training environments established by OpenAI Gym, thereby connecting 
to the vast body of existing work in the RL community. In return, it 
makes accessible the large set of existing JANI model checking bench- 
marks to machine learning research. It thereby contributes an efficient 
feedback mechanism for improving in particular reinforcement learning 
algorithms. The connective part is implemented on top of Momba. For 
the DSMC quality assurance of the learned decision-making agents, a 
variant of the statistical model checker MODES of the MODEST TOOLSET 
is leveraged, which has been extended by two new resolution strategies 
for non-determinism when encountered during statistical evaluation. 


Keywords: Formal Methods - Statistical Model Checking - Reinforce- 
ment Learning 


1 Introduction 


Making optimal decisions in an uncertain environment is the crux of many prac- 
tical problems. Reinforcement Learning (RL) is a popular method to compute 
near-optimal policies for sequential decision-making problems [60]. In the last 
years, RL algorithms that approximate optimal decision policies by training deep 


Authors are listed alphabetically. This work was partially supported by the German 
Research Foundation (DFG) under grant No. 389792660 as part of TRR 248, by the 
European Regional Development Fund (ERDF), and by the Key-Area Research and 
Development Program Grant 2018B010107004 of Guangdong Province. 

© The Author(s) 2022 


S. Shoham and Y. Vizel (Eds.): CAV 2022, LNCS 13372, pp. 430-443, 2022. 
https: / /doi.org/10.1007/978-3-031-13188-2_21 


MoGym: Formal Models for Training & Verifying Decision-making Agents 431 


neural networks have exhibited unprecedented performance in various tasks [47]. 
However, the expressivity of these models makes them difficult to interpret or to 
be checked for consistency for some desired properties. This is an impediment 
to the use of such representations in safety-critical applications [61]. In addi- 
tion, the environment of the decision-making agent executing the policy during 
training is typically specified implicitly in the form of simulation code. In the 
academic context, for instance the Arcade Learning Environment is widely used, 
which provides game simulators for different ATARI 2006 benchmarks [6]. 

If one strives for a principled understanding of the power of RL algorithms 
or of the properties of a specific learned agent in the (possibly uncertain) en- 
vironment, a formal, mathematically precise and unambiguous description of 
the training environment appears central. The formal methods community has 
developed appropriate language concepts for the description of such environ- 
ment models. Their advantage lies in their succinctness and modularity as well 
as their underlying mathematically rigorous formal semantics based on stochas- 
tic process models such as Markov Decision Processes (MDPs) [53], the main 
semantic object of probabilistic model checking [40]. A widespread format to 
describe MDP models of environments is the JANI format [14], providing a mod- 
ular, automata-like syntax, supported by several model checkers, like Storm, the 
MODEST TOOLSET, EPMC [29,30, 33], and via a translation also by PRISM [41]. 

This paper presents MoGyYM, a toolbox that bridges the gap between formal 
methods and RL by enabling (a) formally specified training environments to be 
used with machine-learned decision-making agents, and (b) the rigorous assess- 
ment of the quality of learned agents. For (a), it implements and extends the 
OpenAI Gym API [11], which is the widely used standard interface for deep rein- 
forcement learning [16,26,35,50,55]. MoGyM is based on Momba [39], a Python 
toolbox for dealing with quantitative models from construction to analysis cen- 
tered around JANI. MoGym can process JANI models for the description of a 
training environment and, based on the induced formal MDP semantics, makes 
it possible to train agents using popular RL algorithms. 

For (b), the environment format itself is accessible to state-of-the-art model 
checkers. This enables probabilistic model checking of a specific agent acting 
in the environment specified by the model. This can be crucial to determin- 
ing if further training improves the agent’s quality and, whenever synthesis of 
the optimal agent is feasible, it allows a comparison of the agent’s behavior 
to the optimal one. As such, the environment provides a stable and fully con- 
trollable training and checking context to assert the safety risk induced by an 
agent during and after training. More concrete, MOGYM leverages deep statis- 
tical model checking (DSMC) [20,21]. As shown in these works on DSMC, the 
quality assessment of an agent during training is not trivial and can especially 
not always be derived from the observed training returns. Hence, analyzing the 
quality of the decision-making agents after training clearly is of interest [20,21], 
especially for badly interpretable agent structures such as neural networks (NN). 
In DSMC this is done by using the decision-making agent as an oracle resolving 
the non-determinism in the MDP specifying the environment. When resolving 
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the non-determinism, a Markov chain results on which the probability of sat- 
isfying a given reach-avoid objective can be calculated. A prominent technique 
for doing so with very low memory requirements is statistical model checking 
(SMC) [5,7,32,34, 44, 64,67]. The satisfaction probability for the reach-avoid ob- 
jective calculated using statistics based on a set of simulation runs of the resulting 
Markov chain, can serve as an indicator of the quality of the decision-making 
agent for solving the reach-avoid task it was originally trained on. 

MoGyM comprises the following components: 


— Momba Gym, newly implemented on top of Momba [39]. It implements and 
extends the OpenAI Gym API [11] for deep reinforcement learning. Momba 
Gym can be used to load a specified formal model together with a reach- 
avoid objective given by a JANI file [14] and then train a decision-making 
agent on it, which interacts in the environment given by the formal model. 

— The DSMC API, also newly implemented on top of Momba. It includes a 
Python API to use the DSMC functionality [20,21] of the MODEST TOOLSET 
[13, 30]. 

— DSMC implemented in the MODEST TOOLSET. In prior work [20,21], we 
implemented Deep Statistical Model Checking for specific networks and pur- 
poses, only. With this work, we extend the statistical model checker MODES 
[13] of the MODEST TOOLSET to be able to handle any formal MDP model 
given in one of the input languages of the toolset, and any neural network 
of arbitrary structure, as well as arbitrary oracles connected via a function. 
With the DSMC functionality it is possible to statistically model check the 
probability with which formal properties, i.e., reach-avoid objectives, are 
fulfilled by the decision-making agent, respectively oracle. 


Figure 1 shows how the different parts of MOGyYM are interconnected. First, 
a decision-making agent can be trained on a formal model and a reach-avoid 
property, defined in a JANI model, against the OpenAI Gym API by using 
Momba Gym with different reinforcement learning techniques, which can be 
implemented and defined by the user. Afterwards, the trained agent can be 
verified w.r.t. reach-avoid objectives by invoking the DSMC API, which makes 
use of the DSMC extension of the statistical model checker MODES. Alternatively, 
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the training step can be skipped, or can be done in any other way, and an 
arbitrary external oracle can be checked. 

We are not aware of any other work that enables a direct connection of formal 
verification models and reinforcement learning that directly allows the analysis 
of different RL agents for a variety of verification benchmarks. 

Outline of the paper. In Sect.2 we describe the Momba Gym Python API 
and explain how MOGyYM is used to train agents on existing JANI MDPs. Sect. 3 
presents the DSMC API of Momba, and discusses its use to assess the quality 
of decision-making agents or arbitrary oracles via DSMC, together with the new 
DSMC functionality of MODES. In Sect. 4 we provide empirical insight into the 
full functionality of MOGyYM. Sect.5 concludes the paper. 

A preview of the Jupyter Notebook demonstrating the code we used to ex- 
ecute the experiments shown in the paper can be found online. It will later be 
part of the full artifact for the tool paper. 


2 Formal Models as Training Environments 


At the heart of MoGymM is an implementation of the OpenAI Gym API in 
Momba Gym, which now enables the usage of JANI models as training environ- 
ments. OpenAI Gym [11] constitutes the standard API for interfacing environ- 
ments with different reinforcement learning algorithms enabling their comparison 
and fostering development of new techniques. It is widely used by both, algo- 
rithms that interact with the interface [16, 26,35, 50,55], as well as various bench- 
marks that implement (and sometimes extend) the interface [3, 15, 18,62, 63, 66]. 
With Momba Gym, MoGyM provides an extension of this API for general JANI 
MDP models equipped with reach-avoid properties. JANI is a JSON-based for- 
mat for exchanging formal models between tools [14]. It is the standard format in 
the quantitative verification community and directly supported by state-of-the- 
art tools, like Storm [33], the MoDEST TOOLSET [30], and EPMC [29]. Transla- 
tions from and to other languages such as the PRISM language [41,42], Modest 
[28] and even the planning language PPDDL [36,37] exist. 

A JANI model is a network of interacting automata with variables. Each 
automaton consists of a set of locations and a set of probabilistic edges from 
a source location to possibly multiple destination locations. Edges can be la- 
beled with edge labels and annotated, depending on the destination, with as- 
signments to variables. The transitions of the network are then obtained by 
synchronizing the automata, i.e., in every transition, potentially multiple au- 
tomata participate with one edge, respectively. For our purposes, we assume 
that a decision-making agent controls a single automaton in the network, i.e., 
resolves the non-determinism of this automaton. Fig. 2 exemplifies the construc- 
tion of an automata network from two automata: a controlled automaton (a) and 
a non-controlled automaton (b). Depending on which of the edges of automaton 
(b) is taken, the probability of ending up in state b is either 1.0 (action a) or 0.2 
(action 8). The final composition (c) is then the product of both automata syn- 
chronizing over the shared edge labels a and 8. Controlling automaton (a) here 
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Fig. 2. Networks of interacting automata. 


implies selecting which of the transitions in the final compositional does happen. 
By choosing the edge labeled with a, the transition (a,a@) in the composition 
is selected and analogously for @. The choice of a in the controlled automaton 
obviously is the one maximizing the probability of reaching the green state (y, b) 
in the composition (c). In fact, the state is reached with certainty. Technically, 
this approach would extend to a multi-agent setting where different agents re- 
solve the non-determinism in different parts of the model. We plan to provide 
a multi-agent setting in future work and assume here that all non-determinism 
not resolved by the controlled automaton is resolved uniformly.! 

For training an agent in an environment, the OpenAI Gym API requires the 
definition of an action space and an observation space. In response to receiving 
observations from the observation space, the trained agent makes a decision 
from the action space. To enable the usage of general JANI MDP models as 
environments, an action space and observation space have to be extracted from 
the model. Depending on the model, there are multiple ways to do so. Momba 
Gym implements different strategies for this extraction. For the action space, 
edges of the controlled automaton can be selected by index or by label. For 
the observation space, (i) only global variables, (ii) global variables and local 
variables of the controlled automaton, or (iii) all variables can be declared as 
observable.” Other strategies can easily be added to Momba Gym. 

Whenever the agent makes a decision in response to an observation, the deci- 
sion is mapped to an edge of the controlled automaton and then to a transition 
of the network. If present, other non-deterministic influences are resolved uni- 
formly at random, as mentioned above. In this case, the user receives a warning 
message so that this is taken into account when inspecting the results. After 
taking the respective transition, the environment continues the trace through 
the model until a state is reached where the agent can make a decision again. 

Momba Gym supports reach-avoid properties of the form ¢U w where ¢ and 
w are propositional logic formulas over the model’s states. ¢ U w encodes the 
property that a state satisfying 7 is reached eventually and that ¢ holds on all 
states prior to reaching w. In a bad state, which should be avoided, w is not 


1 That is, each of the remaining non-deterministic options is considered equiprobable. 
MoGyM can easily be extended with other mechanisms to resolve non-determinism. 
? For more details about those strategies see https://momba.dev/gym/. 
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satisfied and (i) there are no remaining transitions or (ii) ¢ is violated. In a goal 
state w is satisfied. To apply RL techniques, Momba Gym supports providing a 
reward structure specifying the reward for reaching a goal, the (usually negative) 
reward for reaching a bad state, the reward for taking a decision neither leading 
to a goal nor to a bad state (usually zero), and the reward for taking a non- 
applicable decision. Using the Momba Gym API integrated in Momba, one can 
create a training environment from an arbitrary JANI MDP model as follows: 


from momba import jani, gym 

model = jani.load_model (JANI_SOURCE) 

Pe aia 

env = gym.create_generic_env(model, automaton) 


In this command, automaton is the automaton the agent controls. The function 
create_generic_env takes additional optional parameters specifying the strat- 
egy for the extraction of the action and observation space (i.e., by index or by 
label, see above) as well as the reward structure (by defining the four reward 
values indicated above) and parameters of the JANI model. The resulting env 
implements the OpenAI Gym API such that it can be directly used to train an 
agent for the given property using arbitrary RL algorithms based on the OpenAI 
Gym API. Thereby, Momba Gym makes JANI MDP models accessible to the 
RL community to train and evaluate their algorithms on. The implementation 
of the Momba Gym environment uses the explicit state space exploration engine 
of Momba which is written in Rust. It is sufficiently performant such that it can 
be used to train different agents using state-of-the-art RL algorithms. 

Momba Gym extends the OpenAI Gym API with the ability to fork the 
environment and query the applicable actions. The former is useful for algo- 
rithms based on Monte-Carlo Tree Search (MTS) [12], known to act favorably 
on prominent benchmarks, like Atari Games [24]. Further, MTS forms the basis 
of DeepMind’s famous algorithms around AlphaGo and AlphaZero [57]. 

In addition to the general Momba Gym API, we provide exemplary code to 
train an agent for an arbitrary formal model. While we ourselves implemented 
deep Q-learning |47], MoGyYM is open to any (deep) reinforcement learning al- 
gorithm. Using our implementation of deep Q-learning, enables training of a 
decision-making agent for an arbitrary JANI MDP model.” We note however 
that deep RL is known to be hyperparameter sensitive [45], so intensive tweak- 
ing of hyperparameters might be needed for the learning to work. In this regard 
our deep Q-learning implementation is no exception. 


3 Verifying Agents Using Statistical Model Checking 


If given a formal model and a decision-making agent trained on it, MOGYM 
supports verification by deep statistical model checking. To this end, the DSMC 
API of MoGyM implements two functions, one for verifying arbitrary agents in 
the form of Python functions and one for verifying PyTorch neural networks. 


3 Details will be included in the artifact of the paper. 
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Both functions rely on our DSMC extension of the statistical model checker 
MODES [13] of the MODEST TOOLSET [30], which accepts both forms of decision 
entities, and returns the reach-avoid probability calculated by the model checker. 

Statistical model checking is based on Monte-Carlo simulation [56,65]. Using 
statistics, a probability estimate is derived from a set of simulation runs, regard- 
ing the satisfaction of a reach-avoid property, the error of which is bounded by a 
confidence interval. This is determined by the probability of the error in the com- 
putation being larger than € is smaller than 6: P(error > e€) < 6. For SMC to be 
applicable, the non-determinism of the model needs to be resolved [8, 13]. In our 
DSMC setting this is done by the agent and otherwise resolved uniformly, i.e., 
equiprobable across all options (see Sect. 2). The computed reach-avoid proba- 
bility can serve as an indicator of the overall quality of the decisions made by the 
agent [20]. The DSMC implementation in MODES provides the same functionality 
regarding the observation space (global and/or local variables) and action space 
(select by index or label) as the Momba Gym training infrastructure described 
in Sect. 2. 

As mentioned above, MODES can deal with two variants of decision-making 
agents. An arbitrary Python function mapping observations to decisions can be 
checked with the DSMC API of MoGyn by executing: 


gym.checker.check_oracle(oracle, model, automaton) 


Here, oracle is the Python function implementing the decision-making agent. 
Notably, this is not limited to trained agents in any way. Any arbitrary Python 
function with an appropriate signature can be used. The other parameters are 
analogous to create_generic_env. In particular, check_oracle also allows op- 
tionally specifying a strategy for extracting the action and observation spaces 
(see above). 

While check_oracle involves executing Python code, a more efficient ap- 
proach is available when the decision-making agent is a PyTorch neural network. 
In this case, the network can directly be verified with check_nn: 


gym.checker.check_nn(nn, model, automaton) 


To this end, we assume that the network is a sequence of layers. The function 
check_nn extracts these layers from the provided neural network nn and exports 
them in a JSON-based format. The neural network is then loaded by MODES 
and used for model checking without calling back into the Python runtime. 
With the help of TorchSharp [25] (a .NET library providing access to the library 
that powers PyTorch) our extension of MODES supports networks with arbitrary 
dimensions and activation functions. 

Alternatively to the DSMC API provided by MoGyn, it is also possible to 
invoke MODES on the command line to check a NN or to connect it to an arbitrary 
decision-making agent via a socket connection. The agent could be any program 
taking the information of the observation space as input and sending an action 
decision back. 
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4 Experimental Insights 


With MoGyM it is now possible to train agents and assess their quality for 
arbitrary JANI MDP models by evaluating them using the DSMC extension of 
the statistical model checker MODES. In the following, we demonstrate all parts 
of the workflow when MoGyM is used from training to evaluation. For our case 
studies, the training was performed by using a well-established standard RL 
algorithm, the deep Q-learning algorithm [47]. 


Benchmarks. Working with MoGYM starts with devising a formal model to train 
a decision-making agent on. For example, the Quantitative Verification Bench- 
mark Set (QVBS) [31] contains JANI models originally collected for competitions 
among quantitative verification tools. With the help of MOGyYmM they are now 
accessible for use in the learning community. For our case studies, we selected 
three MDP benchmarks from the QVBS: cdrive.2, elevators and firewire_ dl. 
With respect to the observation spaces, we use the Momba Gym API default 
setting, in which only global variables are observable. 

In cdrive.2 a car drives in a city modeled using locations connected by roads 
with traffic lights. The car should reach a destination without an accident [10]. In 
the elevators case, a certain number of elevators is available to transport coins 
to a predefined level. An elevator can fall down on a lower level [10,38]. The 
firewire_ dl benchmark models the leader election protocol in the Tree Identify 
Protocol of the IEEE 1394 High Performance Serial Bus [43,59]. 

Another popular benchmark is Racetrack, which has been adopted for deci- 
sion making under uncertainty in many works [2,4,9,19,46,51,52]. In Racetrack, 
a vehicle needs to be driven on a discretized grid track towards a goal as fast as 
possible without crashing. A preview of the Jupyter Notebook showing the code 
we used for the experiments, which will later be part of the tool paper’s artifact, 
is available online. 


Training. We trained agents for all of the considered benchmarks by using the 
calls to the Momba Gym API as introduced in Sect. 2, which can be inspected 
in Sect. 2.1 and 2.2 of the Jupyter notebook. 

Fig.3 (a) and (b) shows the training progress of cdrive.2 and Racetrack, 
respectively, depicted in blue. The training for cdrive.2 took around 1 min, and 
for Racetrack about 22 min, on a standard laptop. In contrast to these two 
benchmarks, learning for elevators and firewire_ dl failed. During training, the 
agent was able to reach the goal, but the NN was not able to generalize. 


Verification. For cdrive.2 and Racetrack, the training return increases over the 
number of training episodes and is quite stable at the end. The training return 
is commonly regarded as an estimator of the training progress [47,48]. Here it 
appears to indicate that the quality of the trained neural networks does neither 
increase nor decrease from a certain episode on. 

However, we now can use DSMC to check the actual quality of the trained 
agents, i.e., we can determine how high the probability is that they indeed 
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Fig. 3. Blue: Training curve showing sliding mean of the training return, i.e., the 
accumulated discounted reward over the last 500 training episodes, on the left 
y-axis. Note the different scale for (a) and (b). Red: Goal reachability probability 
on the right y-axis. Both are plotted over the number of training episodes on the 
x-axis. (a) Shows results for cdrive.2 and (b) for Racetrack. 


reach the goal in their respective environments defined by the MDP model. 
We do so by making use of the DSMC API of MoGyM, introduced in Sect. 3 
using MODES as backend. We check the goal reachability probability of the NN 
policies extracted every 1000 training episodes as shown in Sect.2.1 and 2.2 of 
the Jupyter notebook. 

As depicted by Fig.3, the return during training is not as expressive as 
expected. While the training return is relatively consistent for both cdrive.2 and 
Racetrack, the goal reachability probability (depicted in the red points) over 
training is not. In contrast, it both increases and decreases over the training 
episodes. So, the training return alone turns out not to be a good indicator for 
deciding which of the extracted policies actually is the best one. For cdrive.2 
(Fig. 3 (a)), this can be considered as fine tuning, as most of the policies perform 
near-optimal. In contrast, for Racetrack (Fig. 3 (b)), we observe a huge difference 
between the policies, including near-optimal policies as well as policies with a 
goal reachability probability of only about 20%. These deeper insights regarding 
the neural networks’ quality are only possible by using DSMC. 

Having selected the best policy for each benchmark, the analysis yields a goal 
reachability probability of 86.57% for cdrive.2, where a policy acting optimally 
would reach the goal with a probability of 86.45%.* The optimal value has been 
calculated with the exhaustive probabilistic model checking engine MCSTA [27] of 
the MODEST TOOLSET. The goal reachability probability of the best NN policy 


t Note that the goal reachability probability of the NN policies is estimated by sta- 
tistical model checking. Thus, even though it might seem surprising at first sight, 
it is of course possible that the analysis of our policy yields a slightly higher goal 
reachability probability than optimally possible as long as this is within the given 
confidence interval. We use P(error > €) < 6, where e = 0.01 and 6 = 0.05, i.e., a 
confidence of 95%. 
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of the trained agent for Racetrack is 97.30% where the optimal policy reaches 
the goal with a probability of 99.99%. 


5 Conclusion and Future Work 


We presented MoGyM, an integrated toolbox to train, analyze and verify decision- 
making agents on formal models. These formal models are made available through 
Momba Gym, which implements and extends the well-established OpenAI Gym 
API for arbitrary reinforcement learning techniques. Using these techniques to 
obtain NNs or, alternatively, some general decision-making agents, they can then 
be rigorously verified with DSMC using the new extension of MODES. The ap- 
proach is open to all JANI MDPs and MODES can in principle handle arbitrary 
fully connected and even convolutional networks. 

On the basis of the QVBS and Racetrack, we showed how the toolchain of 
MoGyn works. As presented, our formal-model-based approach enables deeper 
insights for specified properties than non-formal, implicitly defined simulation- 
based environments. 

In the future, we want to address the problem which caused the training 
for elevators and firewire_ dl to fail. Given the successes of deep RL across 
many diverse environments [1,23,47,49,54,57,58], one is tempted to expect it to 
work well on the considered environments [22,31], too. Still, deep reinforcement 
learning is known to perform badly in domains with large action spaces [17], and 
we suspect this to be the root of the problem we observe. The action structures 
arising in networks of automata are of a specific kind. Rooted in process algebra, 
their main role is to enable and orchestrate synchronization across automata, and 
this is indeed the case for the JANI models elevators and firewire_ dl. A more 
meaningful construction of an action space of compositional models suitable for 
learning appears needed. 

Furthermore, the extension of our tool to other model types and an extension 
to control all of the modeled automata, making the learning task a multi-agent 
one, would clearly be of interest. Apart from that, we plan to build upon MOGYM 
to develop DSMC techniques further. With DSMC Evaluation Stages [21] it has 
already been shown that DSMC can be applied during deep RL to determine 
state space regions with weak performance to concentrate on them during the 
learning process. With the help of MOGyYM this technique can now be done 
much more integrated and there is room for further implementations into this 
direction in our tool chain. 
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Abstract. Petri nets are one of the most prominent system-level for- 
malisms for the specification of causality in concurrent, distributed, or 
multi-agent systems. This formalism is abstract enough to be analyzed 
using theoretical tools, and at the same time, concrete enough to elim- 
inate ambiguities that would arise at implementation level. One inter- 
esting feature of Petri nets is that they can be studied from the point 
of view of true concurrency, where causal scenarios are specified using 
partial orders, instead of approaches based on interleaving. 

On the other hand, message sequence chart (MSC) languages, are 
a standard formalism for the specification of causality from a purely 
behavioral perspective. In other words, this formalism specifies a set 
of causal scenarios between actions of a system, without providing any 
implementation-level details about the system. 

In this work, we establish several new connections between MSC lan- 
guages and Petri nets, and show that several computational problems 
involving these formalisms are decidable. Our results fill some gaps in 
the literature that had been open for several years. To obtain our results 
we develop new techniques in the realm of slice automata theory, a frame- 
work introduced one decade ago in the study of the partial order behavior 
of bounded Petri nets. These techniques can also be applied to establish 
connections between Petri nets and other well studied behavioral for- 
malisms, such as the notion of Mazurkiewicz trace languages. 


Keywords: MSC Languages - Mazurkiewicz Traces - Petri Nets 


1 Introduction 


Petri nets are one of the most prominent system-level formalisms for the speci- 
fication of causality in concurrent, distributed or multi-agent systems. This for- 
malism is abstract enough to be analyzed using theoretical tools, and at the same 
time, concrete enough to eliminate ambiguities that would arise at implementa- 
tion level. One interesting feature of Petri nets is that they can be studied from 
the point of view of true concurrency, where causal scenarios are specified using 
partial orders, instead of approaches based on interleaving [18,36]. On the other 
hand, message sequence chart (MSC) languages [16,19], are a standard formal- 
ism for the specification of causality from a purely behavioral perspective. In 
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other words, this formalism specifies a set of causal scenarios between actions of 
a system, without providing any implementation-level details about the system. 

In this work, we show that given an MSC automaton M specifying a set 
of partial orders Lpo( M), and a b-bounded Petri net N with causal behavior 
Peau( N), it is decidable whether Lpo(M)NPcau(N) 4 0, and whether Lpo( M) C 
Pcau(N) (Theorem 8). Additionally, for any given b € N4, one can synthesize a 
b-bounded Petri net N that best captures the behavior specified by M (Theorem 
9). More specifically, Lpo( M) C Peau(N), and there is no other b-bounded Petri 
net N” such that £Lpo(M) C Peau l N’) G Peau(N). Finally, if the MSC automa- 
ton M is locally synchronized, a well studied property in the context of MSC 
language theory [1,19,31], then one can also test whether Peau(N) C Lpo( M) 
(Theorem 8). 

The feasibility of all computational problems described above have been open 
even for 1-bounded Petri nets, despite the fact that both Petri nets and MSC 
languages have been defined several decades ago. The key of our results is a new 
connection between MSC automata and slice automata, a formalism introduced 
in [33] in the study of the partial order behavior of bounded Petri nets. More 
specifically, we show that for each MSC automaton M, one can construct a slice 
automaton A such that Lpo( M) = Lpo( A) (Theorem 7). A crucial feature of this 
construction is that it preserves good decidability properties. More precisely, if 
the input MSC automaton M is locally synchronized, then the obtained slice 
automaton A satisfies a property called saturation, which is crucial for the analy- 
sis of the causal behavior of Petri nets against safety specifications. To establish 
the connection mentioned above, we develop new slice-theoretic machinery of 
independent interest. In particular, we introduce the notions of slice-traces, and 
the notion of a locally synchronized slice automaton. In Sect. 8, we show that this 
new framework can also be used to establish connections between slice automata 
(and therefore, Petri nets), and the formalism of Mazurkiewicz trace languages 
[8, 12,20, 24, 28,28], which is another well-studied formalism for the specification 
of sets of partial orders. In this case, it also holds that our reductions preserve 
good decidability properties, in the sense that finite automata accepting trace- 
closed languages are mapped to saturated slice automata. 


Related Work. During the last four decades many partial order formalisms 
have been introduced and several connections have been established between 
these formalisms [9, 13, 17,21, 25,29,36]. In particular, the expressiveness of finite 
message-passing automata with a priori unbounded FIFO channels was studied 
in [5], where it was shown that these automata capture exactly the class of MSC 
languages that are definable in existential monadic second-order logic interpreted 
over MSCs. Asynchronous cellular automata for traces were originally introduced 
by Zielonka [37]. A notion of asynchronous cellular automaton for pomsets with- 
out auto-concurrency was devised in [10]. Existentially bounded communicating 
automata have been considered in [14] where an equivalence was established 
between communication automata, globally cooperative compositional message 
sequence graphs and monadic second-order logic. Several connections between 


Synthesis and Analysis of Petri Nets from Causal Specifications 449 


communicating automata with bounded channels and Mazurkiewicz traces have 
been considered in [15]. Generalizations of Mazurkiewicz traces have been con- 
sidered in [22], and some extensions of message sequence graphs that are suitable 
for model checking under MSO specifications have been considered in [27]. Series 
parallel languages have been considered in [26]. It is important to note that the 
class of partial orders that can be accepted by slice automata are incomparable 
with the class of series parallel partial orders. On the one hand, series paral- 
lel partial orders are not necessarily k-bounded in the sense considered in this 
work. On the other hand, it is easy to construct k-bounded partial orders that 
are not series parallel. In particular, for k > 4, slice automata are able to define 
k-bounded partial orders whose underlying undirected graph have the complete 
graph K4 as a minor, whereas it is known that no such partial order can be series 
parallel. It is also worth noting that none of the formalisms described in this 
paragraph are able to represent the causal behavior of arbitrary bounded Petri 
nets. Generalizations of finite automata accepting infinite words have been con- 
sidered in several contexts. For instance, regular sets of infinite message sequence 
charts [23]. Automata over message sequence charts capable of accepting infinite 
MSCs were studied in [4]. We note that we do not consider automata capable of 
accepting infinite partial orders in this work. 


2 The Causal Semantics of Petri Nets 


In this section, we briefly define the classic notion of Petri-nets and describe 
their partial-order semantics. Within this semantics, partial orders are used to 
represent the causality between events in concurrent runs of a Petri net. 

A Petri net is a tuple N = (P, T, W, mo) where P is a set of places, T is a set 
of transitions such that PA T =0,W: (Px T)U(T x P) > N is a function 
that assigns a weight W (x,y) to each element (x,y) € (P x T) U(T x P), and 

o: P + Nisa function that assigns a non-negative integer mo(p) to each place 
pEP. 

A marking for N is any function of the form m : P — N. Intuitively, a 
marking m assigns a number of tokens to each place of N. The marking mg is 
called the initial marking of N. If m is a marking and ¢ is a transition in T, then 
we say that t is enabled at m if m(p)— W (p, t) > 0 for every place p € P. If this is 
the case, the firing of t yields the marking m’ which is obtained from m by setting 


m’(p) = m(p) — W(p,t) + W (t, p) for every place p € P. A firing sequence for N 


t t tn 
is a mixed sequence of markings and transitions $ = mo L, my, — Mn 


such that for each i € {1,...,n}, t; is enabled at m;_1, and m; is danad from 
m;—1ı by the firing of ¢;. We say that such a firing sequence is b-bounded if for 
each 7 € {0,...,n} and each p € P, m;(p) < b. We say that N is b-bounded if 
each of its firing sequences is b-bounded. 

The partial order semantics of Petri nets is defined using the notion of Petri- 
net processes introduced by Goltz and Reisig in [18]. The information about 
the causality between events is extracted from objects called Petri net processes, 
which encode the production and consumption of tokens along a concurrent run 
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of the Petri net in question. The definition of processes, in turn, is based on the 
notion of occurrence net. 

An occurrence net isa DAG O = (B Ù V, F) where the vertex set B Ù V is 
partitioned into a set B, whose elements are called conditions, and a set V, whose 
elements are called events. The edge set F C (B x V) U(V x B) is restricted in 
such a way that for every condition b € B, |{(b,v) |v EV}| <1 and |{(v,b) |v € 
V}| < 1. In other words, conditions in an occurrence net are unbranched. For each 
condition b € B, we let InDegree(b) denote the number of edges having bas target. 
A process of a Petri net N is an occurrence net whose conditions are labeled with 
places of N, and events are labeled with transitions of N. Processes are intuitively 
used to describe the token game in a concurrent execution of the net. 


Definition 1 (Process [18]). A process of a Petri net N = (P,T,W,mo) 
is a labeled DAG n = (BUV,F,p) where (BUV,F) is an occurrence net and 
:(BUV) > (PUT) is a labeling function satisfying the following properties. 


Places label conditions and transitions label events: p(B) C P and p(V) CT. 
For every p € P, |{b : InDegree(b) = 0, p(b) = p}| = mo(p). 

For every v € V, and every p E€ P, |{(b,v) € F : p(b) =p}| = W (p, p(v)) 
and |{(v,b) € F : p(b)=p}| = W (p(v), p). 


Item 1 says that the conditions of a process are labeled with places, while 
the events are labeled with transitions. Item 2 says that the minimal vertices 
of the process, are conditions. Intuitively, each of these conditions represent a 
token in the initial marking of N. Thus for each place p of N the process has 
mo(p) minimal conditions labeled with the place p. Item 3, determines that the 
token game of a process corresponds to the token game defined by the firing of 
transitions in the Petri net N. Thus if a transition t consumes W (p, t) tokens 
from place p and produces W(t,p) tokens at place p, then each event labeled 
with t must have W (p, t) in-neighbours that are conditions labeled with p, and 
W(t, p) out-neighbours that are conditions labeled with p. 


T 
® b = cl Z Da ae 
® Q nO) oe 
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~ t 
DLA OMO eon 
@) P; 


wen D 
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Fig. 1. A 2-bounded Petri net N. A process m of N. The partial order 4, derived from 
n. The extension r of lr. 


Let R C X x X be a binary relation over a set X. We denote by te(R) the 
transitive closure of R. If r = (B U V, F, p) is a process then the causal order of 
m is the partial order lr = (V, te(F)|vxv,p|v) which is obtained by taking the 
transitive closure of F and subsequently by restricting tce(F’) to pairs of events 
of V. In other words the causal order of a process 7 is the partial order induced 
by m on its events. 
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If £ = (V,<,l) is a partial order, then we let 0* = (V’,<’,l’) be the extended 
version of £, where V’ = VU {v,, ve}, <’=< U({u,} x V)U(V x {ve}) U (uw, ve) }, 
Vly = l, V(v,) = ¢ and I’(v,) = £. In other words, ¢’ is obtained from £ by the 
addition of an element v, that is smaller than all other elements, and an element 
ve that is greater than all other elements. The addition of these minimal and 
maximal elements to a partial order are made to avoid the consideration of 
special cases in some of our future lemmas. All of our results work if ignore this 
step, but at the expense of more repetitive proofs that deal with corner cases. We 
denote by Peau(N) the set of all extended versions of partial orders derived from 
processes of N: Peau(N) = {n|m is a process of N}. We say that Pay (N) is the 
causal language of N. We observe that several processes of N may correspond 
to the same partial order in Peau( N). 

Recall that the Hasse diagram of a partial order £ = (V,<,1) is the DAG 
H = (V, E) with the smallest number of edges with the property that <= te(E). 
It is a well known result in partial order theory that this DAG is unique. We say 
that £ is a k-partial-order, for some k € N, if there exist k paths p,,...,p, in H 
that cover all vertices and edges of H. In other words, V = Uj Vi and E = U; Fi 
where for each i € {1,...,k}, Vi and E; are the vertex-set and edge-set of the 
path p; respectively. We note that the paths in the cover are not necessarily 
vertex-disjoint nor edge-disjoint. 

For each k € N, let Peau( N, k) denote the set of k-partial-orders which are 
causal-orders of N. It can be shown that if N is b-bounded, then every causal- 
order of N = (P,T, W, mo) is a (b-|P])-partial-order. In other words, each causal- 
order of N can be covered by at most b-|P| paths. This implies that Peau(N) = 
Peaul N, b- |PI). 


3 Message Sequence Chart Languages 


Message Sequence Charts (MSCs) are a suitable formalism for the representa- 
tion of the exchange of messages between processes of a concurrent systems. 
In particular, during the last two decades, MSCs have been used to specify 
runs of telecommunication protocols. Intuitively, an MSC can be formalized as 
a partial-order that represents the causality between messages exchanged in a 
given concurrent run. Infinite families of MSCs, and therefore infinite families 
of partial-orders, can be specified using equivalent formalisms such as message 
sequence graphs, hierarchical (or high-level) message sequence charts (HMSCs) 
(2, 30,32], or message sequence chart automata which will be defined below. 

We formalize MSCs according to the terminology used in [30]. Let 7 be a 
finite set of processes, also called instances. For each instance i € J, we associate 
a finite set of actions X; = Li" U X! U X?. This set is partitioned into a set 53 
of internal actions, a set X! = {ilj : j € J\f{i}} of send actions, and a set 
X? = {i297 : j € J\{i}} of receive actions. We shall assume that for each two 
distinct instances i,j € J, Xi N Xj = Ø. The set of actions associated with J is 
defined as Xy = Uje7 Xi. Given an action a € Xz, Ins(a) denotes the unique 
instance 7 such that a € X;. For each ¥'7-labeled partial-order £= (V, <,l) and 
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each vertex v € V, we let Ins(v) = Ins(I(v)) be the instance of J where the 
action I(v) occurs. For each i,j € J with i Æ j, and each subset X C V we 
let #"I(X) = {v € X | l(v) = i!j}| be the number of messages sent from i to j, 
and by #°°(X) = {v € X | I(v) = i?j} be the number of messages received by i 
which were sent by j. We write v < v’ as a shortcut for v < v’ V v = v’. For each 
v € V we let |v = {v | vo’ < v} be the set of all nodes of £ which are smaller 
or equal to v. We write v < v’ to indicate that v < v’ and for every u € V, 
v <u <v => u= v. In other words, v < v’ if v’ is an out-neighbour of v in the 
Hasse diagram of £. 


Definition 2 (Message Sequence Chart (MSC)). Let J be a set of pro- 
cesses. A message sequence chart over J is a 3'7-labeled partial-order M = 
(V,<,1) satisfying the following properties. 


1. For every pair of actions v,v' € V if Ins(v) = Ins(v') then either v < v’, 
v <vorv=v. 
2. For everyi,g € J withi#j, #" (V) = #1 (V). 
3. For each v € V and each i,j € J, if \(v) = ilj and l(v') = j?i and #4 (| 
v) = #"(| v’), then v <v. 
4. Ifu <v and Ins(v) # Ins(v'), then 
U(v) = ilj, Iu’) = j?i and #°9(| v) = #"(L v’). 


Intuitively, Condition 1 states that actions occurring on the same process are 
linearly ordered. Condition 2 states that for each two distinct processes t, j, the 
number of messages send from 7 to j is equal to the number of messages received 
by j coming from i. Condition 3 states that for each n € N, the n-th message sent 
from 7 to j is received when the n-th action 7?% occurs, i.e., the channels in which 
these messages are transmitted are assumed to be FIFO. Finally, Condition 4 
establishes a causal dependence between send and receive actions from distinct 
processes. 

Let M = (V,<,l) and M’ = (V’,<’, l’) be MSCs over J. The composition of 
M with M’ is the MSC MoM’ = (V",<",l") where V” = VUV”, I” = lUl’, and 
<” is the transitive closure of the relation < U <’ U {(v, v’) € V x V"[Ins(v) = 
Ins(v')}. 

To define infinite families of partial-orders, we use the notion of message 
sequence chart automata (MSC Automata). Let Mz be the set of all finite MSCs 
over J. Here, the set My may be regarded as an (infinite) alphabet of MSCs. 


Definition 3. Let J be a set of processes. A message sequence chart automaton 
(MSC automaton) over J is a finite automaton M = (Q,R, Qo, F) where Q is 
finite a set of states, Qo C Q is a set of initial states, F is a set of final states 
and R CQx M7 xQ. 


We say that a sequence Mı M2...Mn of MSCs is accepted by M if there is a 
sequence qo + q, 2+... > qn where qo € Qo, dn € F and (qi-1, Mi, qi) E R 


for each i € {1,...,n}. An MSC automaton generates two languages. At the 
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syntactic level, £(M) is the set of all sequences Mı M2...Mn of MSCs accepted 
by M. At the semantic level, 


Lpo( M) = {My 0...0 Mn | n € N, Mj...My € L(M)} 


is the set of all MSCs obtained by composing each sequence of MSCs in L(M). 
We note that an MSC language can be represented by an MSC automaton if and 
only if it can be represented by the more traditionally used message sequence 
graphs [2,30,32]. Nevertheless, we choose to work with MSC automata due to 
the fact that the proof of our results will be shorter. 

If M is an MSC, then the communication graph of M, denoted by G(M), 
has the processes of M as vertices, and has one edge e with source in a process 
p and target in a process q if and only if p sends some message to q in M. We 
say that M is locally-synchronized if the graph G(M) has a unique non-trivial! 
strongly connected component, and every vertex that is not in such component 
is isolated. We say that an MSC automaton M is locally-synchronized if for 
each loop qı Ms q2 Mo; 2p, Ma qı in M, the MSC Mı o Mə o ... o Mn is 
locally-synchronized. 

The partial-order language accepted by an MSC automaton is linearization- 
regular [19] if the set of linearizations of partial-orders in Lpo( M) can be rec- 
ognized by a finite automaton over the alphabet Xz. In other words, Lpo (M) 
is linearization-regular if the following set of strings over Xg is regular in the 
usual sense of finite automata theory. 


lin(M)= (J lin(2). (1) 


LEL yo (M) 


It can be shown that an MSC language generated by an MSC automaton M 
is linearization-regular if and only if M is locally synchronized. 


Theorem 1 ([2,31]). Let M be an MSC automaton. Then Lpo( M) is 
linearization-regular if and only if M is locally-synchronized. 


4 Slice Automata 


In this section we define slices and slice automata. Slice automata will be used to 
provide a static representation of infinite families of DAGs and infinite families of 
partial-orders. We note that slices can be related to several formalisms such as, 
multi-pointed graphs, [11], co-span decompositions [7] and graph transformations 
(3,6, 11,35]. 

In what follows, T denotes a finite set of labels. A slice S = (V, E,l,s,t, 
[I,C, O]) is a (T UN)-labeled DAG where the vertex set V = I Ù C Ù Ois 
partitioned into an in-frontier J, a center C and an out-frontier O. The function 
l: V — TUN labels the center vertices in C with elements of T, and the in- and 
out-frontier vertices with positive integers in such a way that L(I) = {1,..., |Z|} and 


1 A strongly connected component is trivial if it has a unique vertex. 
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1(O) = {1,...,|O|}. We require that each frontier-vertex v in IU O is the endpoint 
of exactly one edge e € E and that the edges are directed from the in-frontier to the 
out-frontier. More precisely, for each edge e € FE, we assume that s(e) € [UC and 
that t(e) € C UO. We may also speak of a slice S with frontiers (1, O) to indicate 
that the in-frontier of S is Z and that the out-frontier of S is O. 


202 >a c > 


OTN T ll bs 


Fig. 2. i) A slice and its pictorial representation. ii) Composition of slices. 


A slice Sı = (Vi, £1, l1, $1, t1) with frontiers (11,01) can be glued to a slice 
S2 = (V2, Fa, le, $2, t2) with frontiers (I2,O2) provided |O;| = |2|. In this case 
the glueing gives rise to the slice S10S2 = (V3, E3, l3, 83, t3) with frontiers (J4, O2) 
which is obtained by taking the disjoint union of Sı and Se, and by fusing, for 
each 7 € {1,...,|Oi|}, the unique edge eı € E, for which 1; (ti(e1)) = i with the 
unique edge e2 € E> for which lo(s2(e2)) = i. Formally, the fusion of e; with 
e2 is performed by creating a new edge e12 with source s3(e12) = sı(e1) and 
target t3(e12) = te(e2), and by deleting e; and eg. Thus in the glueing process 
the vertices in the glued frontiers disappear. 

A unit slice is a slice with exactly one vertex in its center. A slice is initial if 
it has empty in-frontier and finalif it has empty out-frontier. The width of a slice 
S with frontiers (I, O) is defined as w(S) = max{|J|, |O|}. A slice alphabet is any 
finite set of slices. In particular, for each finite set of symbols T and each k € N 
we let E(k, T) be the set of all unit slices S of width at most k whose center 
vertex is labeled with an element from T. Observe that the alphabet E(k, T) is 
finite and has asymptotically |T] . 20(klogk) slices. A sequence U = S18S2...Sn 
of unit slices is called a unit decomposition if S; can be glued to S;}ı for each 
i € {1,...,n— 1}. In this case, we let U= S; 0 S20... 0 Sn be the DAG associated 
with U, which is obtained by glueing each two consecutive slices in U. The width 
of U, denoted by w(U), is defined as the maximum width of a slice occurring 
in U. We let E(k, T) be the set of all sequences of slices over E(k, T), and 
E(k, T)® be the set of all unit decompositions over E(k, T). 


Definition 4 (Slice Automaton). Let T be a finite set of symbols and let 
k € N. A slice automaton over E(k, T) is a finite automaton A = (Q,R, qo, F) 
where Q is a set of states, qo E Q is an initial state, F C Q is a set of final 
states, and R C Q x L(k,T) x Q is a transition relation such that for every 
q,q',q” E€ Q and every S € E(k, T): 

1. if (q0o,S,q) E R then S is an initial slice, 


2. if (¢,8,q) ER and q' € F, then S is a final slice, 
3. if (q4,S,qg) ER and (q',S', q”) E R, then S can be glued to S’. 
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Fig. 3. i) A slice automaton A. ii) A unit decomposition U accepted by A. iii) The 
DAG U obtained by glueing each two consecutive slices in U. 


Languages of a Slice Automaton. A slice automaton A can be used to 
represent three types of languages. At a syntactic level, we have the slice language 
L(A) which consists of the set of all unit decompositions accepted by A. 


L(A) = {81S82...S,, | S1S2...S, is accepted by A} (2) 


At a semantic level, we have the graph language £g(A) which consists of all 
DAGs represented by unit decompositions in £(A), and the partial-order lan- 
guage Lpo( A), which consists of all partial-orders which arise as the transitive 
closure (tc) of DAGs in £g(A). Formally, the graph language, and the partial- 
order languages accepted by A are defined as follows. 


£g(A) = {Ù | U € L(A} Lyo(A) = {te(U) | Ù € Le(A)}. (3) 


Let H be a DAG whose vertices are labeled with elements from a finite set 
T. Then we let ud(H, X(k,T)) denote the set of all unit decompositions U in 
E(k, T)® for which U= H. We say that a slice automaton A over E(k, T) is 
saturated if for every DAG H € Lg(A) we have that ud(H, E(k, T)) © L(A). 


The transitive reduction of a DAG H = (V,E,l) is the (unique) mini- 
mal subgraph tr(H) of H with the same transitive closure as H. Note that 
tc(tr(H)) = tc(H). We say that a DAG H is transitively reduced if H = tr(H). 
Alternatively, we call a transitively reduced DAG a Hasse diagram. We say that 
a slice automaton A is transitively reduced if every DAG in £¢(.A) is transitively 
reduced. Theorem 2 states that any slice automaton A can be converted into a 
transitively reduced slice automaton tr(A) representing the same partial-order 
language in such a way that the saturation property is preserved. 


Theorem 2 ((34]). Let A be a slice automaton over E(k, T). Then one can 
construct in time 20% 108k). | A| a transitively reduced slice automaton tr( A) such 
that Lyo(tr(A)) = Lpo( A). Additionally, if A is saturated, then so is tr(A). 


Transitively reduced saturated slice automata are important for our set- 
ting because they can be used to canonically represent infinite families of 
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partial-orders, and because they enjoy several nice decidability/closure prop- 
erties. For instance, inclusion and emptiness of intersection of partial-order lan- 
guages represented by such slice automata are decidable. 


Lemma 1 (Properties of Saturated Slice Automata). Let A and A’ be 


transitively-reduced slice automata over E(k, T). Assume that A’ is saturated. 


1. It is decidable whether Lyo(A) N Lyo(A’) £ 0. 
2. It is decidable whether Lyo(A) E Lyo(A’). 


Additionally, the partial order behavior of bounded Petri nets can be repre- 
sented using transitively-reduced, saturated slice automata. 


Theorem 3 ([33]). Let N = (P,T,W,mo) be a b-bounded Petri net. 
Then for each k € N one can construct in time 200Plklogb:k) | TIIPI a 
transitively-reduced, saturated slice automaton A(N, k) over (kT) such that 
Lpol A(N, k)) = Peau N, k). 


We note that every partial-order in the causal language of a b-bounded Petri 
net is a k-partial-order for some k < b-|P|. Therefore, if we set A(N) = A(N, b- 
|P|) then Lpo (A(N)) = Peau (N). Finally, synthesis of Petri nets from (any) slice 
automata is decidable. 


Theorem 4 (Synthesis [33]). Let A be a slice automaton over E(k, T). For 
each b € N one can construct a b-bounded Petri net N satisfying the following 
properties. 


1. Lpol A) C Peau (N). 
2. There is no other b-bounded Petri net N' with Lyo(A) C Peau(N’) G 
Peau(N). 


5 Weak Saturation 


In this section, we introduce the notion of weak-saturation, a relaxation of the 
notion of saturation that is more suitable for applications involving other partial 
order formalisms. The main result of this section states that weak-saturated slice 
automata can be effectively transformed into saturated slice automata. 

Let H = (V,E,l,s,t) be a T-labeled DAG and w = (v1, ..., Un) be a topologi- 
cal ordering of the vertices of H. In other words, w is a sequence of vertices from 
H such that for each i, j with i < j, there is no edge e € E with source s(e) = vj 
and target t(e) = vi. We say that a unit decomposition U = S,Sz...S, over 
E(k, T) is compatible with w if U = H and for each i, v; is the center vertex of 
S;. Note that given a graph H and a topological ordering w, there may be several 
unit decompositions of H compatible with w. We denote by ud(H,w, E(k, T)) 
the set of all unit decompositions of H over E(k, T) that are compatible with 
w. Note that for each graph H, we have that 
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Fig. 4. A graph H, an ordering w = (a,b,c,d) of the vertices of H, and all unit 

decompositions of H compatible with w. For each unit decompositions U, U’ in 
=> 

ud(H,w, X (k,T)), U is a twisting of U’. 


ud(H, &(k,T)) =|Jud(H,w, E(k, T)) (4) 


where w ranges over all topological orderings of H. 


Definition 5 (Weak Saturation). We say that a slice automaton A is weakly 
saturated if for each DAG H in £Lg(A), and each topological ordering w of H, 


L(A) N ud(H,w, E(k, T)) #0. 


In other words, a slice automaton A is weakly saturated if for each graph H 
and each topological ordering w of H there is at least one unit decomposition 
of H in £(A) which is compatible with w. In Sect.6 we will show that weak 
saturation is a decidable property. The following lemma states that each weakly 
saturated slice automaton can be transformed into a saturated slice automaton 
representing the same set of DAGs, and therefore the same set of partial-orders. 


5 
Lemma 2. Let A be a weakly saturated slice automaton over X(k,T). Then 
one can construct in time 20\*!8*) . |A| a saturated slice automaton A’ such 


that Lg (A) = Lg(A'). 


Proof. For w > 0, let [w] = {1,...,w}. We let [0] be the empty set Ø. A per- 
mutation of [w] is a bijective mapping m : [w] — [w]. We denote by Ø the 
empty permutation a : [0] — [0]. Let S be a slice with frontiers (7, O) and let 
mw: [Z|] — [|] and x’ : [|O|] — [|O]] be permutations. We denote by (r, S, 7’) 
the slice that is obtained from S by permuting the labels of the in-frontier nodes 
according to 7, and by permuting the labels of the out-frontier nodes according 
to a’. 


Let U = SıS2...S, be a unit decomposition over =(k,T), where each 
slice S; has frontiers (I;,O;). Let 7,...,7%n—1 be a sequence where for each 
j € {1,.. n — 1}, m; : [|O;|] — []O;|] is a permutation. Then we say that the 
unit decomposition 


U’ = (0, $1,71)(™1, So, 2)...(7n, Sn, 0) 
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is a twisting of U. Note that Ù- (see Fig. 4). In other words, if U is a twisting 
of U’ then both decompositions give rise to the same DAG. Conversely, if U and 
U’ are compatible with the same topological ordering of a graph H then U 
and U’ are twistings of each other. These remarks are formalized in the next 
proposition. 


Proposition 1. Let H be a DAG and U and U’ be unit decompositions of H. 

Then U is a twisting of U' if and only if there is a topological ordering w of H 
=> 

such that U, U’ € ud(H,w, X(k,T)). 


We say that a slice automaton A over E(k, T) is twisted if whenever a unit 
decomposition U belongs to L(A) then all its twistings also belong to L(A). 
Alternatively, in view of Proposition 1, A is twisted if whenever 


Lol A) Nud(H,w, E(k, T)) 40 


for a DAG H and a topological ordering w of H, we have that 
=> 

ud(H,w, X'(k,T)) C L(A). Using Eq. 4 the notion of saturation can be rede- 

fined in terms of weak saturation and twisting. 


Proposition 2. Let A be a slice automaton over E(k, T). Then A is saturated 
if and only if it is both twisted and weakly saturated. 


Therefore, to prove Lemma 2 it is enough to devise a procedure that takes 
a slice automaton A and returns a slice automaton tw( A) whose slice language 
L(tw(A)) consists of all twisted versions of unit decompositions in L(A). If A is 
weakly saturated, then tw(A) is (fully) saturated. 

Let A = (Q, A,q?, F). We assume that all states of A can be reached from 
the initial state g°, and reach some final state in F. Let q be a state in Q. We say 
that the width of q is w if either there is a transition (q, S,q’) such that the in- 
frontier of S has size w, or there is a transition (q', S, q) such that the out-frontier 
of S has size w. Note that conditions 1-3 of the definition of slice automaton 
(Definition 4) ensure that the notion of width of a state is well defined. Now the 
automaton tw(A) = (Q’, A’, ro, F’) is defined as follows: 


ro=q F'={øl|4E F} 
Q = {qr | 7: [w(q)] — [w(q)] is a permutation. } (5) 


A = { (qr, (T,S, T), qr) | (4,S,q') E€ A, dr, det E Q'} 


It is immediate to check that a unit decomposition U = S1S2...S, is accepted 
by A if and only each twisting U’ = (Ø, S4, m1)(m1, S2, T2)---(Tn-1, Sn, 0) is 
accepted by A’. Therefore, the automaton tw(A) is twisted. Additionally, if 
A is weakly saturated, then by Eq.4 we have that tw(A) is saturated. Finally, 
we note that the size of A’ is at most 20("!98*) . |A|, since there can be at most 
O(k!) = 20 's*) permutations of a set of labels with at most k elements. 
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6 Slice Traces 


In this section we introduce the notion of slice traces, and use this notion to show 
that the weak-saturation property for slice automata is decidable. This notion 
will also be used in Sect. 3 to establish connections between MSC languages and 
saturated slice languages. 
=> = 

We say that two slice strings U,U’ € S(k,T)* are locally X(k,T)- 

equivalent, and denote this fact by U Au , if there exist W, W’ € E(k T) 
=> 

and S1, S4, S2, S% € X(k,T) with Sı o S2 = 84 o S4 such that U = WS,S2W’ 
and U’ = WS1S4W' (Fig. 5). 


Z 

| 
I2 

Z 


Fig. 5. Local Equivalence. S1S2 is 4-equivalent to S1, S3. 


We let Ë C E(k, T)* x E(k, T)* be the equivalence relation defined on slice 


strings by taking the reflexive, symmetric and transitive closure of È, We note 
that if U is a unit decomposition in X(k,T)® then any slice string U’ that is 
E(k, T)-equivalent to U is also a unit decomposition in E(k, T)®, and addi- 
tionally, U=U". We note that there may exist unit decompositions in E(k, T)® 
which are not E(k, T )-equivalent but which are 3 (k’, T)-equivalent for some 
k’ > k. Nevertheless, the following proposition states that for each k-coverable 


k 
DAG H, =-equivalence is already enough to relate any two unit decompositions 
of H. 


Proposition 3. Let U, and Uo be unit decompositions in E(k, T)® such that 
the DAGs Ù; and Up are k-coverable. Then U,=U, if and only if Uy = Up. 


There is a substantial difference between our notion of independence, defined 
on slice alphabets and the notion of independence in Mazurkiewicz trace theory. 
While the independence relation on slices is determined solely based on the 
structure of the slices (Fig. 5), without taking into consideration the events that 
label their center vertices, the Mazurkiewicz independence relation is defined 
directly on events. As a consequence, once an independence relation J is fixed, 
the nature of the partial-orders that can be represented as traces with respect 
to I is restricted. This is valid even for more general notions of traces, such as 
Diekert’s semi-traces [8] and the context dependent traces of [20], in which for 
instance, partial-orders containing auto-concurrency” cannot be represented. In 


? Auto-concurrency is the process of firing two transitions with the same label simul- 
taneously. 
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our setting, any partial order £ labeled over a set of events T may be represented 
by a slice trace: namely the set of unit decompositions of its Hasse diagram. 


Theorem 5. Let A be a slice automaton over a slice alphabet =(k,T) repre- 
senting a set of k-partial-orders. Then we may effectively determine whether the 
slice language generated by A is weakly saturated. 


Proof. Assume without loss of generality that the slice automaton A is tran- 
sitively reduced. Otherwise, just apply the transitive reduction algorithm from 
[34]. Since each partial-order £ € Lpo( A) is a k-partial-order, the Hasse digram 
H of £ can be covered by k paths. Therefore, by Proposition 3, any unit decom- 
position of H has width at most k. Now let tw(A) be automaton obtained from 
A by applying the twisting procedure in the proof of Lemma 2. Then by Propo- 
sition 2 the automaton A is weakly saturated if and only if tw(A) is saturated. 
Therefore, it is enough to verify whether tw(A) is saturated. With this in mind, 
it is enough to test the following condition. If a slice word wS,S2u is generated 
by A’ then every word wS{S}u satisfying S} oS, = Sı o S2 is generated by 
A as well. Let A’ be the minimal deterministic slice automaton generating the 
same slice language as tw( A). Then any unit decomposition $;S_---S, € L(A’) 
corresponds to a unique computational path in A’. Therefore to verify our condi- 
tion, we just need to determine whether A’ is “diamond” closed. In other words 
we need to test whether for each pair of transition rules qSır and rSeq’ of the A’ 
and each unit decomposition $4S5 of Sı o S2, A’ has a state r’ and transitions 
gSir’ and r’Sq’. Clearly this condition can be verified in polynomial time on 
the size of A’, since S4 0S» can have at most 20(*!8*) possible decompositions. 


7 From MSC Automata to Slice Automata 


In this section we define the notion of locally-synchronized slice automata. Let S 
be a slice (possibly with several vertices in the center) with k in-frontier vertices 
V1, +, Up and k out-frontier vertices u1, ..., Up. For each i € {1, ..., k}, we say that 
a path p; from v; to u; is trivial if v; and u; are the only vertices in p,;. Let 
p1,.-..Px be paths such that for each i, p; is a path from v; to u;. We let the 
communication graph comm(S, p1,...,p%) be the directed graph whose vertices 
are paths in {p1,... Pk}, and such that for each i,j € {1,...,k}, there is an 
edge from p; to p; if either these paths share a vertex or there is an edge with 
source in some vertex of p; and target in some vertex of pj. We say that S 
is locally-synchronized comm(S, p1, ..., Pk) has at most one strongly connected 
component with more than one vertex. Note that trivial paths correspond to 
isolated vertices. This notion of local synchronization for slices, generalizes the 
notion of local synchronization for message sequence charts in the sense that 
processes correspond to paths, and isolated vertices in the communication graph 
of an MSC correspond to trivial paths. 
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Definition 6 (Locally-Synchronized Slice Automaton). A slice automa- 


Sn- n 
ton A is locally-synchronized if for every loop qı Si, q2 SENS =~ dn Ba qı 


in A, the slice Sı o S2... 0 Sn is locally synchronized. 


The next theorem states that any locally-synchronized slice automaton can 
be transformed further into a saturated slice automaton representing the same 
partial order language as the original one. 


Theorem 6. Let T be a finite set of symbols, and k € N. Let A be a locally- 
=> 
synchronized slice automaton over X (k, T). Then one can construct a saturated 


slice automaton A’ such that Lyo(A’) = Lpo( A). 


The following theorem is the main result of this section. It states that MSC 
automata can be converted into slice automata representing the same partial- 
order language. Additionally, this conversion transforms locally-synchronized 
MSC automata into saturated slice automata. 


Theorem 7 (From MSC Automata to Slice Automata). Let M be an 
MSC automaton over J. Then one can construct a transitively-reduced slice 
automaton A(M) satisfying Lpo(M) = Lyo(A(M)). Furthermore, if M is 
locally-synchronized, then A(M) is saturated. 


Proof. Let J = {1,...,k} be a set of processes. We let S'(J) be the slice with 
empty in-frontier I = Ø, k out-frontier vertices O = {v1, ..., Up} where each v; 
is labeled with the number 7, and with a unique vertex v in the center which is 
connected to each vertex in O. We say that S'(J) is the initial slice of J. 

Analogously, let S*(7) be the slice with empty out-frontier O = 0), k in- 
frontier vertices J = {u1, ..., Ug} where each u; is labeled with the number i, and 
with a unique center vertex v in the center. For each 7 there is an edge with 
source in u; and target in v. We say that S*(7) is the final slice of J. 

Now let M be an MSC over J. Then we let S(M) be the slice (not necessarily 
a unit slice) constructed as follows. S(M) has k in-frontier vertices 71, ..., £k, and 
k out-frontier vertices y1,..., yz. Let H be the Hasse diagram of M. Then for each 
i € {1,..., k} proceed as follows. If H has no vertex labeled with an element of 
Xi, then add an edge from the in-frontier vertex x; to the out-frontier vertex 
Yi- Otherwise, if such a vertex exists, then add an edge from z; to the (unique) 
minimal vertex of H labeled with an element of X;, and an edge from the (unique) 
maximal vertex of H labeled with an element of X; to the out-frontier vertex 
yi. Note that the transitive closure of the slice S‘(.7) 0oS(M) oS*(Z) is precisely 
the extension of the partial-order M (see Sect. 2). We let W (M) = S1Sz...S,, be 
an arbitrary sequence of unit slices such that S(M) = Sı o S2 0 ... o Sn. 

Now let M be an MSC automaton over 7. We will show how to construct 
a slice automaton A’(M) over X(|J|, 7) such that £,,(A’(M)) = Lpo( M). 
The conversion is done as follows. Let M be an MSC with m nodes and let 
W(M) = S1S2...Sm. We replace each transition (q,M,q') in M by a sequence 
of transitions 

(q, $1, 41) (a1; S2, g2)---(dn—1, Sn, g’). 


462 M. de Oliveira Oliveira 


Now we create an initial state q, and add the transition (q,,8‘(7),q) for each 
initial state q of M. Analogously, we create a final state qs and add the transition 
(q,8°(7),q-) for each final state of M. Now it is immediate to check that M 
accepts a sequence Mı M2...Mn of MSCs if and only if A’(M) accepts the unit 
decomposition 


U = S(J)W (M: )W (M2)... W (Mp )S€( J). 


This implies that te(Ù) = Æ where € = Mı o Mə o ... o Mn. Therefore, 
Lpo(A'(M)) = Lpo (M). 

Now assume that £Lpo(M) is linearization-regular. Then by Theorem 1, we 
may assume that M is locally-synchronized. Let W (M1)W (M2)...W (Mn) label 
a loop in A’(M). Then M,Mo2...M;, labels a loop in M. Since by assumption 
M is locally-synchronized, we have that the MSC Mi 0 Mə 0...0 Mn is locally- 
synchronized. This implies that the slice S(M1) o S(M2) o ... o S(Mn) is also 
locally-synchronized. Since a sequence of MSCs Mı M2...Mp labels a loop in M 
if and only if the sequence of unit slices W(M1)W(M2)...W(M,,) labels a loop 
in A’(M), we have that A’(M) is locally-synchronized. Therefore, as a last step 
we apply Theorem 6 to construct a slice automaton A(M) which is saturated 
and has the same partial-order language as A’(M), and therefore, the same 
partial-order language as M. 


By combining Theorem 7 with Theorem 3 and Lemma 1, we have the follow- 
ing theorem. 


Theorem 8. Let M be an MSC automaton over J and N be b-bounded Petri 
net with transition set T = J. 


1. It is decidable whether Lpol M) N Peau(N) £ 9. 
2. It is decidable whether Lyo(M) C Peau(N).- 
3. If M is locally synchronized, it is decidable whether Peau(N) C Lpo( M). 


Proof. Let A be the slice automaton derived from M as in Theorem 7. Then 
A is transitively-reduced and Lpo( M) = Lpo( A). Let A’ be the slice automaton 
constructed from N as in Theorem 3. Then A’ is transitively-reduced, saturated 
and Lyo(A) = Peau(N). By Lemma 1, we have that it is decidable whether 
Lyo(A) N Lpo(A’) Æ Ó and whether Lpo( A) E Lyo(A’). Finally, if M is locally 
synchronized, then A is saturated, and therefore the inclusion Lpo( A’) C Lpo( A) 
is also decidable. 


By combining Theorem 7 with Theorem 9 we have the following theorem. 


Theorem 9 (Synthesis From MSC Automata). Let M be an MSC 
automaton over J. For each b € N one can construct a b-bounded Petri net 
N satisfying the following properties. 


1. Lyo(M) © Peau(N). 
2. There is no other b-bounded Petri net N’ with Lyo(M) C Peau(N’) G 
Peau(N). 
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Additionally, if M is locally synchronized, then one can decide whether 
Peaul N) = Lpo( M). 


Proof. Let A be the slice automaton of Theorem 7. Then A is transitively- 
reduced and Lpo( M) = Lpo( A). By Theorem 4, one can construct a b-bounded 
Petri net N such that Lpo( A) C Peau( N), and such that there is no b-bounded 
Petri net N’ with Lpol A) C Peau(N’) G Peau ( N). 

Note that if there is a b-bounded Petri net whose causal behavior is equal 
to Lpo( A), then by minimality, we have that Peau( N) = Lpo( A). Nevertheless, 
in general it is not possible to verify whether equality is achieved. On the other 
hand, if M is locally synchronized, then by Item 3 of Theorem 8, one can also 
test whether the equality Peau( N) C Lpo( A) holds. 


8 From Mazurkiewicz Traces to Slice Languages 


In Mazurkiewicz trace theory, partial-orders are represented as equivalence 
classes of words over an alphabet of events [28]. Given an alphabet T of events 
and a symmetric and anti-reflexive independence relation I C T x T, a string 
aabß is defined to be similar to the string abaß (aabG ~ aba) provided 
(a,b) € I. A trace is then an equivalence class of the transitive reflexive clo- 
sure ~* of the relation ~. We denote by [a]; the trace corresponding to a string 
a E T*. 

A partial-order ¢;(a@) is associated with a string a € T* of events in the 
following way: First we consider a dependence DAG dep;(a) = (V, E,l) that 
has one vertex v; € V labeled by the event a; for each i € {1, ..., |a|}. An edge 
connects v; to vj in E if and only if i < j and (a;,a;) ¢ I. Then é;(qa) is the 
transitive closure of dep;(a). One may verify that two strings induce the same 
partial-order if and only if they belong to the same trace. The trace language 
induced by a string language £L C T* with respect to an independence relation 
I is the set [Lj]; = {[a]rla € £} and the trace closure of £ is the language 
ie Uaeclal. 

Given a finite automaton F over an alphabet T and an independence relation 
I C T xT, we denote by L(F) the regular language defined by F and by 
Lyo(F,L) = {lr(a)la € L(F)} the partial-order language induced by (F,T). 
We call the pair (¥,Z) a Mazurkiewicz pair. We say that L(F) is trace-closed 
if [a]; C L(F) for each a € L(F). As an abuse of terminology, we may say that 
the Mazurkiewicz pair (F,Z) is trace-closed. 

We let Ĉpo(F,T) = {0 | £ € Lyo(F,T)} be the set of extensions of partial- 
orders in Lpo(F, T). We note that extensions are only considered to make the con- 
struction of the automaton A(F,Z) slightly cleaner. With some easy case anal- 
ysis one can construct slice automata whose partial-order language is Lpo(F,T) 
instead of Lol ,Z). The next theorem (Theorem 10) states that for any finite 
automaton F and independence relation J, one can construct a slice automaton 
A(F,T) whose partial-order language is equal to Ĉpo(F,T). 
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Theorem 10 (From Traces to Slices). Let F be a finite automaton over an 
alphabet T, and I C T xT an independence relation. Then for some k < |T|? one 


L 
can construct a transitively-reduced slice automaton A(F,T) over X (k, TU{1,€}) 


such that Lyo(A(F,Z)) = Lpo(F,T). Additionally, if (F,T) is trace-closed, then 
A(F,T) is saturated. 


aa aa aa aa aa aa aa aa 

ab al a ıb ab ab ab ab ab 
t ac ac ac ac ac ac ac ac é 
i bb bb bb bb bb bb bb bb 

be be be be m be be č be be 


ee? ce co ec ce cc w ce 


T = {a,b,c} I = {ab, ba} 


Fig.6. Mapping an independence alphabet (T7,Z) to a slice alphabet EÈ(T,T) (a 
satis 
X (k, T) where k < |T|?. 


In the remainder of this section we prove Theorem 10. We note that the 
difficulty in the construction of the automaton A(F,Z) lies in showing that 
A(F,T) is saturated whenever L(F) is trace-closed. As a first step in the 
proof, we will use the independence alphabet (T,Z) to construct a slice alpha- 
bet ET, T) = {Sala € T} U {S,, S+} with the following property: For each 
string @ = Q1Q2...a, E T* the partial-order defined by the unit decomposition 
Ua = S, Soi Sos t Sa, Se is precisely the extension of the partial-order ¢;(a) 
induced by a (Fig. 6). 

Let p : T — {1,..., |T|} be an arbitrary ordering of the elements of T. Let 
D = {ab | a,bET, p(a) < p(b), (a,b) € I} be the set of pairs of non-independent 
elements of T. Let p: D — {1,...,|D|} be the natural lexicographic ordering 
induced on D by the ordering p. For each symbol a € T we define the slice Sa 
as follows: Both the in-fronter J and the out-frontier O of Sa have |D| vertices, 
and the center of Sa has a unique vertex vg which is labeled by a. In symbols 
I = {I,y|ab € D} and O = {O,,|ab € D}. For each ab € D, both the in-frontier 
vertex Ia and the out-frontier vertex Oa» are labeled with the number p(ab). 
For each pair bc € D with a 4 b and a Æ c we add an edge to Sa with source in 
Ip. and target in Op., and for each pair ax € D (xa € D) we add an edge with 
source in Iar (Iva) and target in va, and an edge with source in va and target 
in Oas (Oza) (Fig. 6). We associate with the symbol + an initial slice S,, with 
center vertex v, labeled by 1, and out-frontier O. Analogously, with the symbol 
€, we associate a final slice S- with center vertex vs labeled by £, and in-frontier 
I. We note that the slice alphabet ST, T) is a subset of E(k, T U{t,e}) where 
k = |D| < |T}. 

Now let a = a1Q2...a, be a string in T, dep;(a) be the dependence graph 
of a and Ua = §,Sq,..-Sq,,S-. Let v; be the i-th vertex of dep;(a), and u; be 
the center vertex of the slice S,,. Then it is straightforward to check that for 
each i,j € {1,...,n} with i < j, there is a path from u; to uj in the graph Ù, 
if and only if there is a path from v; to vj in dep;(a). This implies that the 
partial-order te(Ôa) is the extension of the partial-order £;(a) induced by a. In 
other words, te(Ùa) = ĉr (a). 
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Now, from the pair (F,Z) = (Q,¥, Qo, F) we construct an auxiliary slice 
automaton A’(F,Z) = (Q’,R®’, Qo, F’) as follows. We let Q’ = QU {u, Ge}, 
Q = {a}, F’ = {qe}, and R = {(4.,8.,9) | q E Qo} U {(@,S.,4-) | q € 
F} U {(¢,8a,q) | (q,a,q') E R}. Then we have that F accepts a string a 
if and only if A'(F,T) accepts the unit decomposition Ua. This implies that 
Lpol A'(F;T)) =Lpol 2): 

Now assume that L(F) is trace closed. Then for each string y € [a], we 
have that y E€ L(F) and therefore U, € L(A(F,T)). Since for each topological 
ordering w of the graph Ùa, there is a y € [a]; such that U, is compatible 
with w, we have that A'(F,T) is weakly saturated. Therefore, by Lemma 2 
we can construct a saturated slice automaton A(¥,Z) with Lpo A(F,T)) = 
Lpo(A'(F,T)). 


9 Conclusion 


In this work, we have established connections between the causal semantics of 
Petri nets and message sequence chart languages. In particular, we showed that 
message sequence chart automata can be used as a tool for the study of the 
causal behavior of Petri nets. Despite the fact that each of these formalisms have 
been defined several decades ago, the connections established in our work were 
unknown. In order to prove our results we have introduced new slice theoretic 
machinery of independent interest. In particular, our techniques pave the way for 
the use of slice automata as a bridge between bounded Petri nets and behavioral 
formalisms. Further evidence for this assessment is given in Sect. 8, where we 
show how to map Mazurkiewicz Trace languages to trace languages in such a way 
that trace closure implies saturation. This means that the results in Theorems 
8 and 9 also hold if instead of MSC automata we use Mazurkiewicz pairs. 
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Abstract. Workflow nets are a well-established mathematical formal- 
ism for the analysis of business processes arising from either modeling 
tools or process mining. The central decision problems for workflow nets 
are k-soundness, generalised soundness and structural soundness. Most 
existing tools focus on k-soundness. In this work, we propose novel scal- 
able semi-procedures for generalised and structural soundness. This is 
achieved via integral and continuous Petri net reachability relaxations. 
We show that our approach is competitive against state-of-the-art tools. 


1 Introduction 


Workflow nets are a well-established mathematical formalism for the descrip- 
tion of business processes arising from software modelers and process mining 
(e.g., see [2,3]), and further notations such as UML activity diagrams [4]. More 
precisely, a workflow net consists of places that contain resources, and transi- 
tions that can consume, create and move resources concurrently. Two designated 
places, denoted i and f, respectively model the initialization and completion of a 
process. Workflow nets, which form a subclass of Petri nets, enable the automatic 
formal verification of business processes. For example, 1-soundness states that 
from the initial configuration {i: 1}, every reachable configuration can reach the 
final configuration {f: 1}. Informally, this means that given any partial execution 
of a business process, it is possible to complete it properly. 


Soundness. The main decision problems concerning workflow nets revolve around 
soundness properties. The generalisation of 1-soundness to several resources is k- 
soundness. It asks whether from {i: k}, every reachable configuration can reach 
{f: k} (here, {p: k} indicates that place p contains k resources). Intuitively, 1- 
soundness guarantees that every initialised process terminates, and k-soundness 
guarantees that k initialised processes working in parallel will all terminate (see 


An extended version of this paper with an appendix containing the missing proofs can 
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e.g. [1,2]). Generalised soundness asks whether k-soundness holds for all k > 
1. Unlike k-soundness, generalised soundness preserves desirable properties like 
composition and has other desirable properties for business applications [20]. 
Structural soundness is the existential counterpart of generalised soundness, i.e. 
it asks whether k-soundness holds for some k > 1. Structural soundness gives 
information on how many processes can be controlled in parallel [31], moreover, 
by applying results about structural soundness, one can compute the set of all 
k for which the workflow net is k-sound [9, Section 7]. 

These problems are all decidable [1,21,31], but with high complexity: either 
PSPACE- or EXPSPACE-complete [9]. Most of the (software) tools focus on k- 
soundness, with an emphasis on k = 1. Existing algorithms for generalised and 
structural soundness rely on Petri net reachability [19,21,31], which was recently 
shown Ackermann-complete [13,24], so not primitive recursive. In this work, we 
describe novel scalable semi-procedures for generalised and structural soundness. 

We focus on “negative instances”, i.e. where soundness does not hold. Let 
us motivate this. It is known that given a workflow net M, one can iteratively 
apply simple reduction rules to M. The resulting workflow net NV’ is sound iff M 
is as well [10,22]. In practice, one infers that M is sound from the fact that M” 
has been reduced to a trivial workflow net where only i and f remain. However, 
if M is not sound, one obtains some nontrivial M” that must be verified via some 
other approach such as model checking. In this work, we provide algorithmic 
building blocks for this case, where state-space exploration is prohibitive. 


Relaxations. This is achieved by considering two reachability relaxations, namely 
integer reachability and continuous reachability. As their name suggests, these 
two notions relax some forbidden behaviour of workflow nets. Informally, integer 
reachability allows for the amount of resources to become temporarily negative, 
while continuous reachability allows the fragmentation of resources into pieces. 
Such relaxations possibly introduce spurious behaviour, but enjoy significantly 
better algorithmic properties (e.g., see [7]). For example, they have been success- 
fully employed for the verification of multi-threaded program skeletons [5,8,15]. 


Generalised Soundness. Based on these relaxations, we provide two necessary 
conditions for generalised soundness: integer boundedness and continuous sound- 
ness. The former states that the state-space of a given workflow net is bounded 
(from above) even under integer reachability. The latter states that a given 
workflow net is 1-sound under continuous reachability. We show the following 
for integer boundedness and continuous soundness: 


— Well-established classical reduction rules preserve both properties; 

— Integer boundedness is testable in polynomial time, and continuous soundness 
is coNP-complete; 

— From a practical viewpoint, they are respectively translatable into instances 
of linear programming and linear arithmetic (which can be solved efficiently 
by dedicated tools such as SMT solvers); 

— Under a mild computational assumption, continuous soundness implies inte- 
ger boundedness. 
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Thus, altogether, in order to check whether a workflow net M is generalised 
unsound, one may first use classical reduction rules to obtain a smaller workflow 
net N’; test integer unboundedness in polynomial time; and, if needed, move 
onto testing continuous unsoundness. 

The fact that continuous reachability can be used to semi-decide generalised 
soundness is arguably surprising. Using the notation of computation temporal 
logic (CTL), &-soundness can be rephrased as {i: k} H YG JF {f: k}. Some other 
well-studied properties have a similar structure, e.g. liveness and home-stateness 
amount to “Minit = Arer VG AF (t is enabled)” and “Minit H YG JF Mhome” . It 
is known that liveness, home-stateness, and other properties such as bounded- 
ness and inclusion, cannot be approximated continuously [8, Sect. 4]. Yet, gener- 
alised soundness quantifies k-soundness universally, and this enables a continuous 
over-approximation. Consequently, we provide a novel application of continuous 
relaxations for the efficient verification of properties beyond reachability. 


Structural Soundness. The authors of [31] have observed that a property called 
structural quasi-soundness is a necessary condition for structural soundness. The 
former states that {i: k} can reach {f: k} for some k > 1. In [31], structural 
quasi-soundness is reduced to Petri net reachability, which has non primitive 
recursive complexity. In this work, we show that structural quasi-soundness can 
be rephrased as continuous reachability. Since the latter can be tested in poly- 
nomial time [18], or alternatively via SMT solving [8], this vastly improves the 
practicability of structural quasi-soundness. We further show that this approach 
can be adapted so that it provides a lower bound on the first k such that {i: k} 
can reach {i: f}. From a practical point of view, this is useful as it can vastly 
reduce the number of reachability queries to decide structural soundness. 


Free-Choice Nets. Many real-world workflow nets have a specific structure where 
concurrency is restricted. Such nets are known as free-choice workflow nets (e.g., 
see [14] for a book). In particular, free-choice workflow nets allow for the model- 
ing of many features present in common workflow management systems [2]. Gen- 
eralised soundness is equivalent to 1-soundness for free-choice workflow nets [28]. 
In this work, we prove that continuous soundness is equivalent to generalised 
soundness. As a byproduct of our proof, we show that structural soundness is also 
equivalent to continuous soundness. Altogether, the notions of {1-, generalised, 
structural, continuous} soundness all coincide for free-choice nets. In particular, 
this means that the continuous relaxation is exact and can serve as an efficient 
addition to the existing algorithmic toolkit. 


Experimental Results. To demonstrate the viability of our approach, we have 
implemented and experimentally evaluated a prototype. As part of our eval- 
uation, we propose several new synthetic instances for generalised and struc- 
tural soundness, which are hard to decide with naive approaches. Some of these 
instances involve the composition of workflow nets arising from the modeling of 
business processes in the IBM WebSphere Business Modeler. Our prototype is 
competitive against both a state-of-the-art Petri net model checker, and a work- 
flow net analyzer. In particular, our approach exhibits better signs of scalability. 
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Organization. The paper follows the structure of this introduction. Section 2 
introduces notation, workflow nets and some properties. Section 3 defines inte- 
ger and continuous relaxations, and further shows that they are preserved under 
reduction rules. Sections 4, 5, 6 present the aforementioned results on generalised 
soundness, structural soundness and free-choice nets. Section 7 provides experi- 
mental results. Section 8 concludes. Some proofs are deferred to an appendix. 


2 Preliminaries 


We use Z, N, Q and Qso to respectively denote the integers, the naturals (includ- 
ing 0), the rationals and the nonnegative rationals (including 0). Let x,y € QS 
be vectors over a finite set S. We write x < y if a[s] < y[s] for all s € S. We 
write x < y if x < y and a[s] < y[s] for some s € S. We extend addition and 
subtraction to vectors, i.e. (æ + y)[s] = æ[s] + y[s] and (a — y)[s] = æ[s] — y[s] 
for all s € S. We define supp(x) = {s € S | a[s] 4 0}. Given c € Q, c € QS 
denotes the vector such that c[s] = c for all s € S. 


2.1 Petri Nets 


A Petri net N is a triple (P,T, F), where P is a finite set of places; T is a finite 
set of transitions, such that T N P = 0; and F: ((P x T) U (T x P)) — {0,1} 
is a set of arcs. For readers familiar with Petri nets, note that arc weights are 
not allowed, i.e. the weights are always 1. A marking is a vector m € N? such 
that m[p] denotes the number of tokens in place p. We denote markings listing 
nonzero values, e.g. m = {p;: 1} means m|p;] = 1 and m[p] = 0 for p Æ pı. 

Let t € T. We define the pre-vector of t as °t € N?, where °t[p] = F(p,t). 
We define its post-vector symmetrically with ¢*[p] = F(t, p). The effect of t is 
denoted as A(t) := t° — °t. We say that a transition t is enabled at a marking m 
if m > °t. If this is the case, then t can be fired at m, which results in a marking 
m such that m’ := m+ A(t). We write m —! to denote that t is enabled at m, 
and we write m —' m’ whenever we care about the marking m’ resulting from 
the firing. We further write m — m’ to denote that m —! m’ for some t € T. 

We say that a sequence of transitions 7 = t,---t, is a run. We extend the 
notion of effect, enabledness and firing from transitions to runs in a straight- 
forward way. The effect of a run is defined as the sum of the effects of its 
transitions, that is, A(t) := A(t;) +... + A(t,). The run 7 is enabled at m, 
denoted as m =>", if m 3" mı 3” Mo: 3'n-1 Mp1 —' for some mark- 
ings M1, M2,..., Mn—1ı. Furthermore, firing 7 from m leads to m’, denoted as 
m =>" m', if m >” and m’ = m+ A(z). We denote the reflexive and transitive 
closure of — by —*. 

A pair (N, m), where M is a Petri net and m is a marking of M, is called a 
marked Petri net. We write Reach( N, m) := {m’ | m —* m’} to denote the set 
of markings reachable from m in M. 

A marked Petri net (M, m) is bounded if there exists b € N such that m’ € 
Reach( N, m) implies m’[p] < b for all p € P. It is further safe if b = 1. We say 
unbounded and unsafe for “not bounded” and “not safe”. 
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Sometimes, we argue about transformations on Petri nets which take as an 
input a Petri net M and output a Petri net M’. We say that such a transformation 
preserves some property if N satisfies that property iff M” satisfies it. 


f i t f 


DtrOv~ 
OO i F 


OS 


Fig. 1. Example of two Petri nets: respectively Mer and Might- 


Example 1. The left-hand side of Fig. 1 illustrates a Petri net Met = (P, T, F) 
where P := {i,p1,p2,q, 92, f}, T := {s, t1, t2,U}, and F is depicted by arcs, e.g. 
Fi, s] = 1 and F[s, i] = 0. The Petri net is marked by {i: 1}, i.e. with one token 
in place i. We have {i: 1} >* {p,: 1,po: 1} —&" {q1: 1,qg: 1} >” {f: 1}. < 


2.2 Workflow Nets 
A workflow net M is a Petri net [1] such that: 


— there is a designated initial place i such that t*[i] = 0 for all t € T; 

— there is a designated final place f Æ i such that °t|f] = 0 for all t € T; and 

— each place and transition lies on at least one path from i to f in the underlying 
graph of N, i.e. (V, E) where V := PUT and (u,v) € E iff F(u,v) £0. 


We say that M is: 


— k-sound if for all m € Reach(N, {i: k}) it is the case that m —* {f: k} [1]; 
— generalised sound if N is k-sound for all k € Ns, [20, Def. 3}, 
— structurally sound if N is k-sound for some k € Ns, [6]. 


Example 2. Figure 1 depicts two workflow nets: Meg, and Nrignt. The former is 
generalised sound, but the latter is not. Indeed, from {i: 1}, transition t can- 
not be enabled (as transitions preserve the sum of all tokens). Both workflow 
nets are structurally sound. Indeed, N;ien¢ is 2-sound as it is always possible to 
redistribute the two tokens so that t can be fired in order to reach {f: 2}. < 


3 Reachability Relaxations 


Fix a Petri net M = (P, T, F). We describe the two aforementioned relaxations. 


Integer Reachability. An integral marking is a vector m € Z?. Any transition 
t € T is enabled in m € ZP, and firing t leads to m’ :-= m+A(t), denoted m 5 
m’. We define m —>z m’ and m —% m’ analogously to the standard setting but 
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w.r.t. +5 rather than —*. Similarly, Z-Reach( M, m) := {m € Z? | m >š m}. 
As transitions are always enabled, the order of a firing sequence is irrelevant. In 
particular, m —% m iff there exists a € NT such that m’ = m+¢ er ælt]: A(t). 
Thus, integer reachability amounts to integer linear programming. Moreover, it 
is NP-complete [12]. 


Continuous Reachability. A continuous marking is a vector m € Qp. Let À € 


(0,1]. We say that At is enabled in m, denoted m =}, if m > A- °t. In this 


context, À is called the scaling factor. Furthermore, we denote by m ee m’ 


that At is enabled in m, and that its firing results in m’ := m + à- A(t). A 
sequence of pairs of scaling factors and transitions is called a continuous run. 
The notations m >g, M’ and m —>ġ_, m’ are defined analogously to the 


discrete case but with respect to =}, rather than —* (the internal factors À 


can differ). Similarly, Q>ọ-Reach(N, m) := {m | m —5,, M} denotes the 
markings continuously reachable from m. For example, for Meg, from Fig. 1 and 
T= $8 it, we have {i: 1} Os, {i: 1/2, pı: 1/4, p2: 1/2,q.: 1/4}. It is known 
that continuous reachability, namely determining whether m —6, , m’, given 
m,m’ € Q&,, can be checked in polynomial time [18]. 7 

Let us establish the following helpful lemma similar to [18, Lemma 12(1)]. 


Lemma 1. Let m, m’ be continuous markings. It is the case that m +5. mM’ 


>0 
iff there exists b € N>1 such that b: m >* b- m’. 


3.1 Preservation Under Reduction Rules 


In [10], the authors present six reduction rules, denoted Rı,..., Re, that gen- 
eralize the existing reduction rules of [27]. In the following, we show that these 
reduction rules preserve natural properties for the two reachability relaxations. 
This means we will be able to check these properties on a reduced workflow net 
and get the same results as on the original one. 

Formally, the rules simplify a given workflow net M = (P, T, F). In particular, 
the places of the resulting workflow net N” = (P',T, F’) form a subset of P. Let 
us fix a domain D € {N, Z, Qso} and let P’ C P. For ease of notation, we write 
P” = P \ P’ to denote the (possibly empty) set of removed places. Rules never 
remove the initial and output places, i.e. i,f € P’. We denote by 7: D? > DP’ 
the obvious projection function, and by mo: D? "_,D? the “reverse projection” 
which fills new places with 0. Formally, 7o(m)[p’] := ml[p’] for all p € P’ and 
to(m)|[p"] := 0 for all p” € P”. 

In [10], the authors prove that the rules preserve generalised soundness. This 
of course implies that they preserve k-soundness for all k. The technical propo- 
sition below will be helpful in the forthcoming sections to show the preservation 
of useful properties based on reachability relaxations. 
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Proposition 1. Let N = (P,T,F) be a workflow net, and let D € {N, Z, Qso}. 
Let N' = (P',T', F’) be a workflow net obtained by applying a reduction rule Ri 
to N, where P= P' U P”. The following holds. 


- Rule Rı. We have P” = {p}. There exists a nonempty set R' C P’ such that 
if {i: 1} >p m in N, then m[p] = X peg M[r’]. Moreover, m >) n in N 
iff m(m) >ñ a(n) in N”. 

- Rules Rə and R3. We have P” = Ý and m >}, n in N ifm apn in N'. 

- Rules Ry and Rs. We have P” = {p}. For allm’ and n', m! >} a in N” iff 
To(m’) 5 To(n’) in N. Further, for allt € T and p' € P': either °t|p] = 1 


implies °t|p'] = 0; or t®[p] = 1 implies t°|p'] = a Also, for 7 Z, if Im 
{i: 1} =>5 m Ap {f: 1} holds in N, then dm’: {i: 1} => m’ Ag {f: 1} 
holds in N”. 


- Rule Rg. We have P” = {p2,..., pk}. There exists pı € P’ such that for all 
ne PP, if Di mipi] = Zi nipi] and nlp] = mp!) for p € P'\ {p1}; 
then m >ï n. Moreover, if m|pi] = n[p:i] = 0 for i > 1, then m >ï n in N 


iff m(m) fh a(n) in N”. 


4 Using Relaxations For Generalised Soundness 


In this section, we explain how reachability relaxations can be leveraged in order 
to semi-decide generalised soundness of workflow nets. More precisely, we state 
two necessary conditions for a workflow net to be generalised sound: one phrased 
in terms of integer reachability, and one in terms of continuous reachability. 
Furthermore, for each condition we: (1) show that it is preserved under reduction 
rules, and (2) establish its computational complexity. Overall, this means that 
to conclude that a given workflow net M is not generalised sound, one may first 
reduce M, and then efficiently test for one of these two necessary conditions. 

For integer boundedness, we need the mild assumption of nonredundancy. Let 
N = (P,T,F) be a workflow net. We say that a place p € P is nonredundant! 
if there exist k € Ns; and m € NP such that {i: k} >* m and mfp] > 1. It is 
known (and simple to see) that redundant places can be removed from a workflow 
net without changing whether it is generalised sound. Moreover, testing whether 
a place is nonredundant can be done in polynomial time. Indeed, by Lemma 1, it 
amounts to testing for the existence of some m € Q£, such that {i: 1} > y M 
and m[p] > 0. The latter is known as a coverability query and it can be checked 
in polynomial time [18]. Thus, in order to test whether a given workflow net is 
generalised sound, one can first remove its redundant places. We call a workflow 
net without redundant places a nonredundant workflow net. 


4.1 Integer Unboundedness 


Recall that a marked Petri net (M, m) is bounded if there exists b € N such that 
m' € Reach( M, m) implies m’ < b. It is well-known that any 1-sound workflow 


1 This notion is adapted from batch workflow nets considered in [21]. 
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net must be bounded from {i: 1} [1]. In particular, this means that boundedness 
is a necessary condition for generalised soundness. However, testing boundedness 
has extensive computational cost as it is EXPSPACE-complete [11,29]. Consider 
the relaxed property of integer boundedness. It is defined as boundedness, but 
where “m’ € Reach( M, m)” is replaced with “m € Z-Reach( M, m) N NP”. 


Proposition 2 ([9, Lemma 5.9]). Let N be a nonredundant workflow net. If 
(N, {i: 1}) is integer unbounded, then N is not generalised sound. 


Proposition 3. The reduction rules from [10] preserve integer unboundedness. 


Next, we establish the complexity of integer unboundedness in two steps. 
The first step, in the next proposition, shows that testing integer boundedness 
amounts to a simple condition, independent of the initial marking. The second 
step shows the condition can be translated into a linear program over Q, rather 
than N. As a corollary, integer unboundedness is testable in polynomial time. 


Proposition 4. A marked Petri net (N,m) is integer unbounded iff there exists 
a marking m’ > 0 such that 0 =>} m’ (independent of m). 


Proof. Let N = (P,F,T) be a Petri net and let m € NP. 

=) By assumption, there exist mo,mj4,... € Z-Reach(NV,m) N NË such 
that, for every i € N, it is the case that m; £ i. Since (N?,<) is well-quasi- 
ordered, there exist indices t9,71,... such that m;, < Mi, for all j < k. Without 
loss of generality, we can assume that Mi, < Mi, for all j < k, as we could 
otherwise extract such a subsequence. Recall that each m;, € Z-Reach( M, m). 
Let me € T* be such that m >77 Mi, Let xe € NT be the vector such that 
x (t) indicates the number of occurrences of transition t in mg. Since (NT, <) is 
well-quasi-ordered, there exist j < k such that æj < a,. Let m’ = Mmi, — Mi, 
and r = [Jep t&l), We have 0—73 m’ > 0 as desired since: 

m = mi, —m;, = (m + A(rk)) — (m + A(re)) = A(t) — Alre) 


J 


=X erlt] A(t) -X welt] At) = X (2x — ae) It] - A(t) = A(n). 


teT tET teT 


<) By assumption 0 —% m’ > 0. In particular, this means that m —>7 
m+m! >73 m-+2m! >z ---. Therefore, (M, m) is not integer bounded. 


Proposition 5. A marked Petri net (V,m), where N = (P,T,F), is integer 
unbounded iff this system has a solution: 3x € QL : Yrer at] - A(t) > 0. In 
particular, given a workflow net N, testing integer boundedness of (N, {i: 1}) 
can be done in polynomial time. 
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4.2 Continuous Soundness 


Let us now introduce a continuous variant of 1-soundness based on continuous 
reachability. We prove that this variant, which we call continuous soundness, is a 
necessary condition for generalised soundness, and preserved by reduction rules. 
Moreover, we show that continuous soundness is coNP-complete, and relates to 
integer boundedness. 

We say that a workflow net N is continuously sound if for all continuous 
markings m € Q>o-Reach(N, {i: 1}) it is the case that m 6, {f: 1}. 


Theorem 1. Continuous unsoundness implies generalised unsoundness. 


Proof. Let N = (P,T, F) be a workflow net that is not continuously sound. By 
definition of continuous soundness, there exists some continuous marking m € 

o such that {i: 1} +9,, mand m #ġ., {f: 1}. By Lemma 1, there exists 
b € Nyy such that {i: b} s* b- m. Furthermore, by Lemma 1, b: m 4A* {f: b}. 
This means that M is not b-sound, and consequently not generalised sound. 


Proposition 6. The reduction rules from [10] preserve continuous soundness. 


Theorem 2. Continuous soundness is coNP-complete. Moreover, coNP- 
hardness holds even if the underlying graph of the given workflow net is acyclic. 


Proof (of membership in coNP). The inclusion problem consists in determining 
whether, given Petri nets M and N” over a common set of places, and markings 
m and m’, it is the case that Q>o-Reach(V,m) C Qso-Reach(WV’,m’). The 
inclusion problem is known to be coNP-complete [8, Prop. 4.6]. 

Let N = (P,T) be a workflow net. Let MT! = (P,T~") be defined as M but 
with its transitions reversed, i.e. where Tt := {t7} | t € T} with *(¢~') = t° 
and (t~*)* := °t. It is the case that m 6, m’ in N iff m’ +6, m in NTI. 
Observe that M is continuously sound iff the following holds for all m: 


m E€ Qso-Reach(W, {i: 1}) => {f: 1} € Q>o-Reach( M, m). 
So, as {f: 1} € Q>o-Reach( M, m) is equivalent to m € Qso-Reach( 


{f: 1}), continuous soundness holds iff Q>o-Reach(N, {i: 1}) C Q>o-Reach( 
{f: 1}). As inclusion can be tested in coNP, membership follows. 


NTE 
N-E 


Proof (of coNP-hardness). We give a reduction from the problem of determining 
whether a Boolean formula in disjunctive normal form (DNF) is a tautology. We 
adapt a construction from [30] used to show that soundness in acyclic workflow 
nets is coNP-hard. The proof is more challenging under the continuous semantics 
as several variable valuations and clauses can be simultaneously used. 

The reduction is depicted in Fig. 2 for y = (xı A £2 A nz4) V (7a, A z3 A 24). 
In general, let y = Vje.. C; be a Boolean formula in DNF with k clauses over 
variables £1,...,2m. We define a workflow net Nọ = (P,T, F). 
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Fig. 2. A workflow net Mọ such that Mọ is continuously sound iff p = (xı Ar2A 724) V 
(x1 A z3 A x4) is a tautology. Places and transitions contain their names (not values). 
Arcs corresponding to the first and second clauses are respectively dotted and dashed. 


Definition. The places are defined as P = {i, pa,f} U Pyar U Paean, where 


Prar = Usepm{Pi,?, Piz, Pio} and Pacan = Usep mG ri} The transitions 
are defined as T := {tinit, tin} U Tvar U Telauses U Tyar, where 


Tvar = U {vin, Vio}, Telauses = {ci | tE [1..k]} and Tyar = U {¥i1,Ui,o}. 


i€[1..m] i€[1..m] 


Let us explain how Mọ is intended to work. Transition tini; enables the initial- 
ization of variables and the selection of a clause that satisfies y, i.e. *tinit = {i: 1} 
and t® = {pi2: 1 |i € [1..m]}+ {pa: 1}. A token in place p;p indicates that 
variable x; has been assigned value b (where “?” indicates “none” ). Consequently, 
we have °v; p = pi,r and vu}, := pip for each i € [1..m] and b € {0, 1}. 

Transition cj consumes a token associated to each literal of clause C}, i.e. 
°c; = {via | xi E Cj} + {vio | aa; € Cj}. A token in place q; indicates that 
variable x; is not needed anymore (due to some satisfied clause). A token in 
place r; indicates that variable x; has been discarded. Therefore, transition cj 
produces these tokens: c% := {q; | x; ¢ CyA7ai ¢ Ci} +{ri | ri E CjV azri E€ Cj}. 

Transition V; discards variable x;, i.e. °U;ib = {Pi b, qi} and °Tip = {qi}. 

Once each variable is discarded, transition tg, terminates the execution, i.e. 
*ten = {ri | i € [1..m]} and tf, = {f: 1}. 
Correctness. Note that under +6, ,, the workflow net needs not to proceed as 
described. Indeed, it could, e.g., assign half a token to p; o and half a token to p;1. 
Similarly, several clauses can be used, with distinct scaling factors. Nonetheless, 
Nọ is continuously sound iff ọ is a tautology. 

=) Let b1, ...,bm € {0,1}. Let 7 = tinv1,4, +++ Um,b,,. We have: {i: 1} Os, 
{vip,: 1 |ie [1..m]} + {pa: 1}. Since Mo is continuously sound by assumption, 
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there must exists some j € [1..k] such that c; is enabled. This implies that clause 
Cj is satisfied by the assignment. Hence, ọ is a tautology. 
<) The proof is technical and involves several invariants (see appendix). 


We may now prove that any nonredundant workflow net that is integer 
unbounded is also continuously unsound (the reverse is not necessarily true). 
Therefore, integer unboundedness relates to continuous soundness much like con- 
tinuous unsoundness relates to generalised soundness. 


Proposition 7. Let N be a nonredundant workflow net and m € NP. If (N, m) 
is integer unbounded, then N is not continuously sound. 


Proof. Let N = (P,T,F) and m € N? be such that (M, m) is not integer 
bounded. By Proposition 4, there exists m’ > 0 such that 0 =>} m’. By nonre- 
dundancy, there exist À € Ns; and m” € N? such that {i: A} —* {f: 1} +m”. 
In [21, Lemma 12], it is shown that {i: k} —% n implies the existence of 
some £ € N such that {i: k + 4} —>* {f: 4} +n. By invoking this lemma with 
k := 0 and n := m’, we obtain {i: L} >* {f: 4} +m’ for some £ EN. 
Altogether, {i: A+ 4} 3* {f: A+} + m’ +m”. Since A+ @> 1, Lemma 1 
yields {i: 1} =>ġ, {f: 1}+ m” where m” := (1/(A+£))m’. As every transition 
of a workflow net produces at least one token, this contradicts the fact that M 
is continuously sound. Indeed, it is impossible to fully get rid of m” > 0. 


5 Using Relaxations For Structural Soundness 


A workflow net M is k-quasi-sound if {i: k} —* {f: k}. Furthermore, M is 
structurally quasi-sound if it is k-quasi-sound for some k € Ns}. 

As observed in [31], structural quasi-soundness is a necessary condition for 
structural soundness. The notion of structural quasi-soundness is naturally gen- 
eralised to an arbitrary Petri net M = (P,T, F). Given markings m, m’ € NP, 
we say that m structurally reaches m’ in N if k-m —* k-m/! for some k € Ns. 
A workflow net is structurally quasi-sound iff m := {i: 1} structurally reaches 
m' := {f: 1}. So, the observation of [31] can be rephrased as follows. 


Proposition 8. Let N be a workflow net. If {i: 1} does not structurally reach 
{f: 1} in N, then N is not structurally sound. 


The problem of structural quasi-soundness can be reduced to an instance 
of the Petri net reachability problem [31, Lemma 2.1]. Intuitively, the reduc- 
tion produces a Petri net that nondeterministically chooses multiples of {i: 1} 
and {f: 1} for which to check reachability. Such an approach has a prohibitive 
computational cost as Petri net reachability is Ackermann-complete. However, 
we observe that structural reachability, and hence structural quasi-soundness, is 
equivalent to continuous reachability by Lemma 1. 


Proposition 9. Let N = (P,T,F) be a Petri net, and let m,m’ € NP be 


markings. It is the case that m structurally reaches m’ iff m Os, m. 
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For a workflow net VV = (P,T, F), let kw € N>1U{00} be the smallest number 
for which M is ky-quasi-sound. Then M is structurally sound iff ky 4 œ and M 
is kw-sound [31, Thm 2.1]. By Proposition 9, kw Æ 00 can be checked in polyno- 
mial time via a continuous reachability query. Moreover, a lower bound on ky can 
be obtained by computing kyz E€ N>1 U {oo}, defined as the smallest value such 
that {i: k} -3 {f: k}. We obtain a better bound by defining kyo,,, E€ N>1U {oo} 
as the smallest value for which there is a continuous run 7 = Aqt1---Antn such 
that {i: k} >Q., {f: k} and m € NT, where m[t] := Diet njtice Ai Values 
kyz and kN Q., can respectively be computed by a translation to integer linear 
programming, and a decidable optimization modulo theory. 


Proposition 10. Let N be a workflow net. It is the case that kn z < kN Q- < 
ky. Moreover, ky z can be computed from an integer linear program P; kN Qo 
can be obtained by computing min k € Ns, : y(k) where y is a formula from the 
existential fragment of mized linear arithmetic p, i.e. JFO(Q, Z, <, +); and both 
P and ¢ are constructible in polynomial time from N. 


6 Free-Choice Workflow Nets 


Let N = (P,T, F) be a Petri net. We say that N is free-choice if for any s,t € T, 
it is the case that either supp(°s) N supp(°t) = Ø or °s = °t. For example, the 
nets Mer, and Night from Fig. 1 are respectively free-choice and not free-choice. 

It is known that generalised soundness is equivalent to 1-soundness in free- 
choice workflow nets [28]. We will show that the same holds for structural sound- 
ness, and that, surprisingly, for continuous soundness as well. This means that 
notions of soundness collapse for free-choice nets. This is proven in the forth- 
coming Lemma 2 and Theorem 3, which form one of the main theoretical con- 
tributions of this work. 

Let (N, m) be a marked Petri net. We say that a transition t is quasi-live 
in (N,m) if there exists m’ such that m —* m’ —*. Similarly, we say that 
a transition t is live in (N, m) if for all m’ such that m —* m’, t is quasi- 
live in (M, m’). In words, quasi-liveness states that there is at least one way to 
enable t, and liveness states that t can always be re-enabled. The set of quasi- 
live and live transitions of (N, m) are defined respectively as F(m) := {t€ T | 
t is quasi-live in (V,m)} and L(m) := {t € T | t is live in (V,m)}. 


Lemma 2. Let N = (P,T,F) be a free-choice Petri net, let c € N>1, and let 
m € NP. The following statements hold. 


1. There exists a marking m’ such that m >* m’ and L(m’) = F(m’). 

2. If L(m) = F(m), then L(c-m) = F(c:m) = F(m). 

3. If L(c- m) = F(c-m), c-m —* {f: c} and (N,c-m) is bounded, then 
m = {f: 1}. 


Lemma 3. Let N be a workflow net. If N is continuously sound, then 
(N, {i: k}) is bounded for all k € N>1. 
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Theorem 3. Let N be a free-choice workflow net. These statements are equiva- 
lent: (1) N is 1-sound, (2) N is generalised sound, (3) N is structurally sound, 
and (4) N is continuously sound. 


Proof. (1) = (2). This was shown in [28]. 

(2) = (3). By definition, if M is k-sound for all k, then it is for some k. 

(2) = (4). By Theorem 1. 

(3) = (1). Let k € Ns be such that M is k-sound. Let m € N? be such that 
{i: 1} —* m. By Lemma 2(1), there is a marking m’ € N? such that m —* m’ 
and F(m’) = L(m’). By Lemma 2(2), we have L(k-m’) = F(k-m’) = F(m’). 

By k-soundness, (M, {i: k}) must be bounded [9, Proposition 3.2 and 
Lemma 3.6]. Thus, since {i: k} —>* k-m —* k-m’, it is also the case 
that (V,k-m/’) is bounded. By k-soundness, k - m’ —* {f: k}. By invoking 
Lemma 2(3) with c := k, we conclude that m’ = {f: 1}. So, M is 1-sound as 
{i: 1} —* m >* m = {f: 1}. 

(4) = (1). Assume that M is continuously sound. Let m € N? be a marking 
such that {i: 1} +* m. By Lemma 2(1), there exists m’ € NP such that m —* 
m and L(m’) = F(m’). Clearly, {i: 1} >6,, m’ and by continuous soundness 
m’ >ð, {f: 1}. By Lemma 1, there exists b € Ns such that b- m —* {f: b}. 

By Lemma 3, continuous soundness of M implies that (M, b- m’) is bounded, 
as {i: b} —* b- m’. Since L(m’) = F(m’), it follows from Lemma 2(2) that 
L(b-m') = F(b-m’). By invoking Lemma 2(3) with c := b, we derive m’ = {f: 1}. 
Therefore, M is 1-sound as {i: 1} —* m >* m’ = {f: 1}. 


7 Experimental Evaluation 


We implemented our approaches for generalised and structural soundness in 
C#.? We test continuous soundness via SMT solving. More precisely, we use 
an existential Yy formula of linear arithmetic, i.e. FO(Q,<,+), from [8]. This 
formula is such that ~(m,m‘) holds iff m 6, m’ in M. Continuous sound- 


ness amounts to the JV-formula Yyy ({i: 1},m) A nyw (m, {f: 1}). To solve such 
formulas, we use Z3 [26]. We further use Z3 to decide structural quasi-soundness 
and compute kN Q», (see Proposition 10), again via the formulas of [8]. 

We evaluated our prototype implementation on a standard benchmark suite 
used regularly in the literature, and a novel suite of synthetic instances where 
generalised or structural soundness are hard to decide with a naive approach. 

We compared with two established tools for soundness: LoLA (v2.0) [35], 
and Woflan [33].° The latter can only decide classical soundness (1-soundness + 
quasi-liveness). Nonetheless, we use quasi-live instances, so for which 1-soundness 
and classical soundness are equivalent. We further use a transformation to reduce 
the verification of k-soundness to the one of 1-soundness [9, Lemma 3.6]. On the 


? The implementation can be obtained from https://doi.org/10.6084/m9.figshare. 
19721674.v2. 

3 A version of Woflan suitable for running without user interaction was provided, via 
personal communication, by its maintainer. 
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other hand, LoLA can directly decide k-soundness. To do so, we start from {i: k} 
and check a CTL formula of the form VG SF ((m[f] = k) A Apg mlp] = 0). 
Experiments were run on an 8-Core Intel®) Core™ i7-7700 CPU @ 3.60 GHz 
with Ubuntu 18.04. We limited memory to ~8 GB, and time to 120s for each 
instance. Tools were called from a Python script. For LoLA and our implementa- 
tion, we used the time module to measure time. Running Woflan involves some 
overhead, so we instead take the total verification time reported by Woflan itself. 


7.1 Free-Choice Benchmark Suite 


The benchmark suite encompasses 1386 free-choice Petri nets that represent busi- 
ness processes modeled in the IBM WebSphere Business Modeler. It was origi- 
nally presented in [16], and has been studied frequently in the literature [10,17]. 
These nets are not workflow nets by our definition, but can be transformed using 
a known procedure [23]. Intuitively, the nets are workflow nets with multiple final 
places, and the procedure adds a dedicated output place and ensures that the 
resulting workflow net represents the desired behaviour. However, roughly 1% 
of the nets are not workflow nets by our definition even after the procedure, as 
they contain nodes that are not on a path from i to f. We removed these nets. 

We further checked each net for safety using LoLA and dropped unsafe nets. 
Recall that (M, {i: 1}) is sound if each reachable marking has at most one token 
per place. Unsafe instances can be dropped as unsafety implies 1-unsoundness 
in free-choice nets [34, Thm. 4.2 and 4.4], and as existing methods for checking 
safety, e.g. via state-space exploration with partial order reductions, are very 
efficient (here needing a mean of 3 ms). Thus, we considered safe instances only. 
Among the 1386 instances, 1382 are workflow nets, and 977 are further safe. 

We also invoked an implementation of the reduction rules of [10] to reduce the 
size of all instances.* As discussed in the introduction, the rules can reduce some 
instances to trivially sound nets. However, even the size of nontrivial reduced 
instances tends to be small, with an average number of places and transitions of 
roughly 14, while three quarters of nets have at most 18 places and transitions. 
This is small enough that a complete state-splace enumeration is often feasible, 
in particular as the nets are safe and especially LoLA utilizes powerful partial 
order reductions for such nets. As we want to focus on scalability, we chained 
instances to produce challenging synthetic nets based on real-world instances. 
This is a natural way of constructing workflow nets, intuitively, the final process 
can be composed of many subtasks. It can be seen as a special case of refinement 
operations, studied in the context of generalised soundness [20]. 

The chaining procedure merges two workflow nets N = (P,T,F) and N’ = 
(P',T’, F’) into N” := (P", T”, F”) where P” := PUP’, T” = TUT U {taux} 
with F” as F’ + F” extended with °tauxlf] = 1, ¢%,,[i’] = 1, and *taux[p] = 
t®.,.x|p'] := 0 for other entries. It is readily seen that this construction (1) produces 
a free-choice net if both M and N” are free-choice; and (2) preserves safety. 


4 At time of writing, an implementation is available at https://github.com/LoW12/ 
Hadara- AdSimul. 
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This way, we generated large instances by using £ € {1,21,41,...,401} ran- 
domly chosen unreduced safe instances from the benchmark suite as inputs to 
be chained into one instance, then reduced that instance. For each number £, we 
produced 20 combined nets, with a fresh random choice each time, in order to 
have a more representative collection of nets for @. This resulted in 420 instances, 
of which 405 are nontrivial after applying reduction rules. 

A caveat is that such large nets may seem unlikely to arise in practice. It 
seems a human designer would avoid designing highly complex processes corre- 
sponding to Petri nets with thousands of places. However, process models are not 
only explicitly written by humans, but also machine-generated, e.g. by mining 
event logs (see [32] for a book on the topic). In particular, being free-choice is 
preserved by chaining, so a large free-choice net may “hide” and combine several 
less complex processes, which might necessitate analyzing large workflow nets. 


Results. We checked the safe free-choice instances obtained as explained above 
for 1-soundness using LoLA, Woflan and our implementation of continuous 
soundness. The results are shown on the left of Fig. 3. The right-hand side of the 
figure provides an overview over the sizes of the nets. In each case, N refers to 
the number of original instances that were chained to create each instance. 
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Fig. 3. Experiments on chained free-choice instances. The x-value denotes the number 
N of chained nets. Dark thick lines denote the mean, and light thin lines of the same 
color denote the minimum and maximum, respectively. For Woflan, the minimum line 
is slightly below the line of this work. For this work, the minimum and maximum lines 
are very close to the mean. Left: The y-value denotes time for checking soundness of 
the 20 nets for each N. Marks on the gray line at 120 s denote timeouts. Right: The 
y-value denotes the size of generated nets. (Color figure online) 


The results show that state-space exploration via LoLA is very fast for mod- 
erate sizes, but does not scale as well. Continuous soundness is in fact outper- 
formed by LoLA for N < 100, but scales much better, showing essentially linear 
growth in the given data range. For instance, continuous soundness takes a mean 
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of 0.25 s for N = 1, a mean of 1.07 s for N = 201, and a mean of 2.28 s for 
N = 401. 

Woflan performs very well on the original instances, but times out frequently 
for larger instances. Woflan checks so-called S-coverability [34]. This is fast on 
many instances, even large ones, but starts running into the exponential-time 
worst case when instances get larger. For N = 1 and N = 21, Woflan does not 
ever time out, while it times out for roughly half of the instances in the range from 
N = 201 to N = 401. Overall, we infer that for large free-choice workflow nets, 
deciding soundness by checking continuous soundness can outperform existing 
techniques, while the procedure is still competitive on moderate instances. 


7.2 Synthetic Instances 


In the previously discussed benchmark suite, nets are free-choice. So structural 
and generalised soundness are equivalent by Theorem 3. We considered including 
a second suite of 590 non-free-choice Petri nets that represent processes of the 
SAP reference model [25]. However them turn out to be 1-quasi-sound but not 
1-sound, so they represent trivial cases for generalised and structural soundness: 
simply checking 1-soundness, or 1-quasi-soundness and then 1-soundness, decides 
all instances. It’s also worth mentioning that none of the 590 SAP instances are 
continuously sound, so all of them can be shown to not be generalised sound by 
checking continuous soundness, without having to check 1-soundness. 

In order to have a wider variety of challenging instances, we introduce several 
families of synthetic workflow nets. The nets are simple to understand, but have 
large numbers of reachable marking, so are challenging for approaches relying 
on state-space exploration, e.g. model checking. 


Encoding Arc Weights. To simplify the presentation, we describe synthetic 
instances utilizing arcs with weights. For benchmarking, we removed the arc 
weights and instead input equivalent weightless nets. To do so, we used an encod- 
ing that simulates exponentially large weights by polynomially many transitions 
and places (the encoding is explained in ??). It preserves (quasi-)soundness, but 
significantly increases the number of reachable markings. Indeed, our synthetic 
instances are mostly trivial to solve by enumerating reachable markings when 
arcs have weights, but become much harder to decide when the encoding is used.° 
While much of the literature on workflow nets does not consider nets with arc 
weights, implicit structural encodings can occur in practice. 


Generalised Soundness 

Benchmark Instances. We introduce a synthetic family of nets where generalised 
soundness appears to be challenging. The family {V.}cen,, is defined at the top 
of Fig. 4. Parameter c € N>; is the smallest value for which Me is c-unsound. 
From {i: c}, the sequence ¢¢t¢t' can be fired, which leads to the deadlock {r: c+ 


5 It is deliberately used to make instances challenging, not to ensure compatibility 
with LoLA or Woflan, as both support arc weights. 
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1}. Yet, when starting with k < c tokens in i, and firing ¢*, transitions t, and ts 
can only be fired exactly k times, and {f: k} will be reached. 


OA c Or Ce y CEO sar 


Fig. 4. Top: A workflow net Mo that is c-unsound and k-sound for all k € [1..c — 1]. 
Bottom: Three families of instances. Bottom left: Ngouna-c is quasi-sound and éc-sound 
for all £ € N51. Bottom center: Naasi is not structurally quasi-sound. Bottom right: 
N-sound-c is £c-quasi-sound for all £ € N >1, but not structurally sound. 


The naive approach to decide generalised soundness is to check k-soundness 
for all k until a counterexample is found or a bound is exceeded. It is known 
that if a counterexample exists, then there also is one of size at most exponen- 
tial [9, Lemma 5.6 and 5.8]. The approach we chose for semi-deciding generalised 
soundness is to check continuous soundness. Recall that continuous soundness is 
a necessary (albeit not sufficient) condition, as shown in Theorem 1. 

In our evaluation, we used Woflan and LoLA to check generalised soundness 
of the family for different c by checking 1-sound, ..., c-soundness, and compared 
the result to the time needed for testing continuous soundness. Our main goal is 
to evaluate whether checking continuous soundness is efficient enough to serve as 
an inexpensive way to witness generalised unsoundness for nontrivial instances. 


Results. Figure 5 depicts the results. Woflan and LoLA show good performance 
for small values of c, but do not scale well to larger values. They respectively time 
out for c > 5 and c > 8. The instances are not free-choice, so LoLA and Woflan 
need to explore the state-space for each k < c, which becomes infeasible. For 
c > 14, Woflan cannot even check 1-soundness within the time limit. LoLA can 
check 1- and 2-soundness for c < 28, but cannot handle 2-soundness for larger c. 
Continuous soundness is efficiently verifiable even for c = 40. In particular, we 
need less than 5 s on all instances. The greatest time is at c = 33. Further, at 
most 1 s is needed on 34 out of 40 instances (mean of 0.6 s). 
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Fig. 5. Time to check generalised soundness of Me for different values of c. Marks on 
the gray line at 120 s denote timeouts. (Color figure online) 


Structural Soundness 

Benchmark Instances. For structural soundness, recall that our decision proce- 
dure is based on checking structural quasi-soundness and obtaining some lower 
bound for the smallest number for which the net is quasi-sound. Thus, we want 
to test on both benchmark instances that are structurally quasi-sound and those 
that are not. We introduce three families of non-free-choice nets for which struc- 
tural soundness appears challenging. These instances are defined at the bottom 
of Fig. 4. We respectively denote them Ngound-c (left), Nogquasi-c (center) and 
N-sound-c (right). We claim that: Mgound-c is £c-sound for all £ € N>1; Noguasi-c 
is not structurally quasi-sound; M-sound-c is £c-quasi-sound for all £ € N >1, not 
k-quasi-sound for any other number k € N31, and not structurally sound. 

For the experiments, our goal is twofold. First, we want to evaluate whether 
utilizing continuous reachability to decide structural quasi-soundness is more 
efficient than using the known reduction to reachability described in [31, 
Lemma 2.1]. Woflan does not directly support checking reachability, so we only 
compare with LoLA. Second, we want to evaluate whether the lower bound for 
the smallest number for which the net is quasi-sound, which we dubbed ky,o,, 
towards the end of Sect. 5, is close to the actual smallest number, dubbed kw. 

A caveat of this evaluation is that we evaluate only on our synthetic instances, 
and that computing ky,g,, is only one step in deciding structural soundness. 
However, we think that the evaluation on these hard synthetic instances can give 
insights into the applicability on nontrivial real-world instances. 


Results. Figure 6 compares the time needed to verify structural reachability for 
LoLA and our prototype. For small instances, LoLA sometimes performs very 
well, but we scale better for large values. Of particular note is that in the absence 
of quasi-soundness, LoLA will generate an infinite state-space, so will generally 
run out of time or memory. In particular, LoLA times out for all c on N-guasi-c- It 
also times out for c > 32 on Nogouna-c. On the other hand, continuous soundness 
never times out for the given values of c. In fact, when we tested continuous 
soundness for much larger values of c, we found that our implementation of 
continuous reachability decides structural quasi-soundness for N—guasi-c in under 
2s for c = 20 000 000. 
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We further found that for all instances, ky g., = kw, that is, our lower 
bound exactly matches the smallest number for which the net is quasi-sound. 
Thus, it only remains to decide ky.g,.-quasi-soundness and ky g,,-soundness 
in order to decide structural soundness. This is in contrast to the naive approach, 
which starts at k = 1 and checks k-quasi-soundness for each value up to ky,q,,- 
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Fig. 6. Time taken vs parameter c for checking structural quasi-soundness using the 
reduction to reachability, and utilizing our approach to compute ky,g,,, for each of 
the three families at the bottom of Fig. 4: Neouna-c (left), N-quasi-c (center), N-sound-c 
(right). Note that the axis ranges differ. Marks on the gray line at 120 s denote timeouts. 
(Color figure online) 


8 Conclusion 


In this work, we have shown how reachability relaxations allow to efficiently semi- 
decide generalised and structural soundness. Our approach combines nicely with 
reduction rules, as they all preserve relaxations. In particular, we have introduced 
continuous soundness as an approximation of generalised soundness, and shown 
that it coincides with other types of soundness for free-choice nets. 

As part of future work, we plan to migrate our prototype into the process 
mining framework ProM, to make the algorithms available to practitioners. 
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Abstract. Requirements formalization has become increasingly popu- 
lar in industrial settings as an effort to disambiguate designs and opti- 
mize development time and costs for critical system components. For- 
mal requirements elicitation also enables the employment of analysis 
tools to prove important properties, such as consistency and realizabil- 
ity. In this paper, we present the realizability analysis framework that we 
developed as part of the Formal Requirements Elicitation Tool (FRET). 
Our framework prioritizes usability, and employs state-of-the-art analysis 
algorithms that support infinite theories. We demonstrate the workflow 
for realizability checking, showcase the diagnosis process that supports 
visualization of conflicts between requirements and simulation of coun- 
terexamples, and discuss results from industrial-level case studies. 


1 Introduction 


Requirements elicitation is a proactive process which, by capturing the intended 
behavior of a system at an early stage, safeguards against decisions that could 
lead to increased development costs and even catastrophic failures. Formal 
requirements analysis can solidify engineers’ confidence in the expressed specifi- 
cation. Our work is concerned with ensuring requirements consistency for system 
components, as a pre-requisite for subsequent system-level analysis. In partic- 
ular, we focus on the notion of realizability: a realizable set of requirements 
guarantees that an implementation exists, such that it always behaves in a man- 
ner consistent with the specification, no matter what input it receives from its 
environment. The notion of realizability, first described as implementability by 
Pnueli and Rosner [47], has since then shaped an entire research area over the 
specification and synthesis of reactive systems. 

This paper presents the realizability analysis framework that we have devel- 
oped as part of NASA’s open source tool FRET [3] for writing, understanding, 
and formalizing requirements. FRET is designed with a strong focus on usabil- 
ity, and is used by several NASA projects to explore the benefits of writing 
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requirements that can be processed by formal analysis tools [10, 17,42,45]. Addi- 
tionally, FRET has been used by external (to NASA) industrial and research 
teams, e.g., for the formalization of aircraft engine controller requirements [19]. 
FRET’s realizability framework has two main goals: 1) to implement efficient algo- 
rithms for checking realizability, and 2) to provide user support in understanding 
and correcting sources of unrealizability. With these features, FRET provides an 
end-to-end solution to capturing, analyzing, and diagnosing requirements. 

FRET’s realizability framework provides a user-friendly interface for analyz- 
ing the requirements of system components. We have designed a graphic environ- 
ment, in which the user can observe a (potentially) decomposed version of the 
specification that is sound with respect to realizability, as well as further dive into 
the task of diagnosing unrealizable requirements. Compositional analysis is based 
on our theoretical framework for checking realizability of a global specification 
through smaller, more tractable parts [25,43]. The diagnosis process is based on 
the theoretical work by Könighofer et al. [33,34] on generating minimal conflicts of 
unrealizability. We adjusted the diagnosis algorithm to support the discovery of all 
minimal conflicts in a contract, accompanied by a counterexample of unrealizabil- 
ity. The computed artifacts can be visualized as an interactive diagram that depicts 
the dependencies between requirements and conflicts. Counterexample traces that 
originate from these conflicts can also be simulated to enhance the understanding 
of unrealizability sources. For the analysis, we have integrated in FRET state-of- 
the-art tools with respect to realizability checking modulo infinite theories. 

In particular, the contributions of this work are: 


— The design and implementation of a realizability checking framework in 
FRET that tightly integrates the JKIND [23] and KIND 2 [35] analysis tools; 

— a diagnosis feature for unrealizability that returns all minimal conflicts and 
their counterexamples in an easy-to-use, graphical user interface; 

— the extension of the simulator component in FRET, to be used for the sim- 
ulation of conflicting requirements in unrealizable specifications; and 

— improvements of the algorithms in our in-house fork of the JKIND model 
checker, following recent work from the KIND 2 and GenSys [48] tools. 


2 Related Work 


Tablel provides a comparison between prominent requirements specification 
tools that support realizability checking with respect to various aspects, such 
as support for liveness properties, specification decomposition, algorithms. 
Spectra Tools [37] and RATSY [8] are requirements specification tools for 
reactive synthesis over the General Reactivity of Rank 1 (GR(1)) fragment of 
LTL. The GR(1) fragment is particularly appealing, because it subsumes a subset 
of requirements that may appear in real world problems, adheres to the popular 
Assume-Guarantee paradigm, and a polynomial-time synthesis algorithm exists 
for it [9,46]. Both tools are limited to finite-state problems, and provide the abil- 
ity to diagnose unrealizable specifications, primarily through the computation 
of minimal unrealizable cores [33,40] and counterstrategy synthesis, where an 
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Table 1. Comparison of requirements specification tools w.r.t. realizability checking. 
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implementation for the environment is generated, such that its actions always 
lead to the violation of the specification [34,39]. Furthermore, Spectra Tools 
provide the ability to repair unrealizable specifications [38]. 

SpeAR [22] and AGREE [14] are tools developed at Collins Aerospace for 
the purpose of requirements specification and analysis. Realizability checking is 
provided as a feature in both tools with limited support. Both tools depend on 
JKIND’s k-induction algorithm for realizability checking, which supports infinite- 
state problems, but is not sound with respect to unrealizable results [24]. 

EARS-CTRL [36] is yet another requirements specification platform that 
enables analysis of requirements written in Easy Approach to Requirements 
Syntax (EARS) [41]. Its realizability checking implementation relies upon 
autoCodeé [13], and is limited to the GXW subset of LTL [12]. Similar to Spectra 
Tools and RATSY, its analysis is limited to finite-state problems. 

FRET’s realizability-checking framework encapsulates desirable features of 
the aforementioned tools into an interface that is designed for users of vary- 
ing backgrounds in formal methods. Additionally, it is the only requirements 
specification tool that provides a powerful decomposition approach to help with 
analysis performance [25,43]. FRET’s realizability framework is powered by the 
algorithms in JKIND and KIND 2. As such, it can analyze requirements that 
are as expressive as arbitrary discrete past-time metric LTL (pmLTL) formulas, 
and which may involve arithmetic expressions over the Linear Integer and Real 
Arithmetic SMT-LIB logics [7]. In practice, the framework targets analysis of 
formulas corresponding to requirements written in FRETISH, as presented in the 
next section. FRETISH requirements correspond to templates that form only a 
subset of all pmLTL formulas. As long as future FRETISH extensions can be 
translated into pmLTL, analysis will be supported by the realizability backend. 


3 The FRETish Language 


In FRET, requirements are written in a restricted natural language called 
FRETIsH [27]. FRET formalizes FRETISH requirements in pmLTL and then 
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Table 2. Two FSM requirements in FRETISH and pmLTL from Katis et al. [32]. 


FSM shall for 5 ticks satisfy (state = 2 & standby & good) => STATE = 3 

H ((O[<=5] (! (Y TRUE))) -> (state = 2 & standby & good) -> STATE = 3 
FSM shall within 5 ticks satisfy (state = 2 & supported & good) => STATE = 0 
[FSM-007] H ((H (! (state = 2 & supported & good) -> STATE = 0)) -> (O[<5] (! (Y 
TRUE) ) ) ) 


[FSM-006] 


into Lustre. A FRETISH requirement is described using up to six distinct fields 
(the * symbol designates mandatory fields): 1) scope specifies the time intervals 
where the requirement is enforced, 2) condition is a Boolean expression that 
triggers the response to occur at the time the expression’s value becomes true, 
or is true at the beginning of the scope interval, 3) component* is the system 
component that the requirement is levied upon, 4) shal1* is used to express that 
the component’s behavior must conform to the requirement, 5) timing specifies 
when the response shall happen, subject to the constraints defined in scope and 
condition and 6) response* is the Boolean expression that the component’s 
behavior must satisfy. 

FRETISH provides 8 scopes: global, in, before, after, notin, only in, only 
before, and only after. The scope global means always; the others are with respect 
to when the system is in a mode or satisfies a Boolean expression. For example, 
In mode M means the requirement is enforced when the system is in mode M, as 
determined by the Boolean variable M. Also allowed for scope in place of a single 
Boolean variable is a Boolean expression, except for in which in the expression 
case is written with while; e.g., While vehicle:mode = hover. In FRETISH, the 
optional condition field is introduced by the words upon, when, or if, which 
are synonymous in FRETISH, or the word unless, which is the same as when 
!. FRETIsH provides 10 timings: immediately, at the next timepoint, always, 
eventually, never, for N time steps, within N time steps, after N time steps, 
until bool_expr, and before bool_expr. When the scope is omitted it is taken as 
global; when the condition is omitted, it is taken as true; when the timing is 
omitted, it is taken as eventually. If we consider the condition being omitted 
as a separate case, there are 8 x 2 x 10 = 160 possible combinations of (scope, 
condition, timing), each formalized as a distinct pmLTL formula template. The 
templates are generated by an algorithm that has been formally proven to gen- 
erate formalizations with the intended semantics [15]. 

Boolean expressions can use the standard logical connectives (!, &, |) and can 
involve arithmetic relations (=, !=,<,<=,>,>=) and operators (+,—,*,/) over integer 
and real variables. There are two predefined predicates preInt and preReal that 
refer to previous values: the expression preInt(init,n), for integer expression n, 
returns the value of n at the previous timepoint; if at the beginning of the trace 
where there is no previous value, then the value of init is returned. Currently, 
FRETISH does not allow arbitrary nesting of temporal operators, e.g. “In mode 
m, before q the system shall...” .'Timed operators with intermediate bounds are 
also not currently expressible; e.g., the equivalent of H[i, j] p, where i Æ 0. 
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Fig. 1. Implementation views for realizability checking in FRET. 


For the remainder of the paper we use a running example, namely Finite 
State Machine (FSM), to demonstrate the various aspects of our framework. 
FSM contains 13 requirements for an abstracted version of an advanced autopi- 
lot system, and is part of the Lockheed-Martin Cyber-Physical Challenge Prob- 
lems [18,32,42]. The requirements capture safety expectations with regards to 
the autopilot system’s state transitions. Table 2 contains two FSM requirements 
written in FRETISH and their pmLTL formulas, which are generated by FRET. 


4 Implementation 


Figure la shows the architectural components of FRET that communicate with 
or belong to the Realizability Analysis framework. Grayed components illustrate 
the contributions of this paper. The asterisks in Simulator and JKind indicate 
that their existing implementation and features were considerably extended for 
this work. Arrows show the flow of data between components. All components are 
implemented in JavaScript using the React, Material-UI and D3 libraries [2,5,6]. 

FRET requirements are written using the Editor/Elicitor component, which 
also provides semantic explanations in various forms to assist users to clarify sub- 
tle semantic issues. The Simulator component provides an interactive visualizer 
based on graphical signal representation. Given a FRET requirement, it shows 


' The FRET architecture is described in previous work by Giannakopoulou et al. [26]. 
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temporal traces of each of the variables involved as well as the valuation of the 
requirement for each point in time. The user can interactively modify the input 
signals, which results in automatically updating the valuation of the requirement 
and thus, visually inspecting the temporal behavior of the requirement. As part 
of this work, we extended the Simulator with the following features: 1) the abil- 
ity to import and export simulation traces, 2) support for numerical expressions, 
and 3) simultaneous visualization of multiple requirements. We integrated the 
Simulator in our realizability analysis workflow, to provide the ability to inspect 
and interact with counterexample traces in unrealizable specifications. 

The Variable Mapping component collects essential information provided by 
the user regarding the variables of the requirements, e.g., data types and corre- 
spondence to system inputs or outputs. Realizability Analysis consists of three 
sub-components. The Realizability Checking Engine is responsible for checking 
realizability of requirement sets either monolithically or compositionally. Given 
an unrealizable set of requirements, the Realizability Diagnosis Engine imple- 
ments the algorithm proposed by Kénighofer et al. [33,34] to compute all min- 
imal unrealizable sets of requirements, called minimal unrealizable cores. For 
each such core, a counterexample trace is computed that depicts a case under 
which the environment can lead the system into a deadlocking state. For the 
computation of minimal conflicts, our implementation uses the delta-debugging 
algorithm [49]. The Visualizer implements the user interface that displays anal- 
ysis results as well as diagnostic results in the case of unrealizable specifications. 
These results are typically hard to digest in their original form. As such, the visu- 
alizer translates the information into an interactive diagram that allows the user 
to focus on unrealizable cores and inspect or simulate conflicting requirements. 

We have integrated into FRET the JKIND [23] and KIND 2 [11] tools for 
checking realizability. We actively maintain a fork of JKIND [80], because the 
original repository lacks an implementation for the fixpoint algorithm by Katis 
et al. [31]. Formerly, the fork implementation relied on the AE-VAL solver’s 
Model-Based Projection algorithm to perform quantifier elimination over forall- 
exists formulas [20,21]. As part of this work, we have improved its performance 
by utilizing Z3’s [16] quantifier elimination tactics. For instance, for the analysis 
of FSM the version of JKind using AE-VAL took 1524.82 s [43], whereas our 
optimization through Z3 dramatically decreased the time to 0.6 s. 

The flow of usage of our framework is as follows (Fig. 1b). Once requirements 
are written in FRE'TISH and variable information is provided, the user may start 
the analysis. Realizability can be performed through two different modes: 1) 
monolithic and 2) compositional, i.e., through the computation of independent 
sub-specifications, namely connected components. Each connected component 
is an undirected dependency graph with requirements as vertices and system 
outputs as edges. Compositional analysis has been proved faster and more prone 
to return result, compared to the monolithic option [43]. At the next step, the 
specification is translated to Lustre [29] and fed into JKIND and KIND 2 to 
perform realizability checking. If the specification is unrealizable, the user can 
diagnose it using the generated counterexamples, and the FRET simulator. 
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5 Features Walkthrough 


We next demonstrate the features of framework through our running example. 
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te & standby & good) => STATE = ap_standby_state 


FSM007 FSM shall wi & supported & good) => STATE 


FSM002 FSM shall always satisfy (standby & state = ap_transition_state) => STATE = ap_standby_state 


Fig. 2. The realizability checking interface in FRET. 


Realizability Checking. Figure 2 provides a snapshot of the overall graphical 
user interface (GUI) for realizability checking in FRET. As soon as the system 
component is selected, its connected components (CC) are computed. In the case 
of FSM, three CCs are identified. The GUI provides a focused view for each one 
(‘CCX’ tabs, with X being the corresponding index value), where the user can 
see which requirements participate in each CC via a table that dynamically grays 
out unrelated requirements. As soon as the CCs are computed, the realizability 
checking options become available, i.e., compositional and monolithic. 

To check realizability, the user clicks the ‘Check’ button. Depending on the 
input specification, four possible answers may be given i.e., the specification is 
realizable, unrealizable, inconsistent, or the analysis is inconclusive ( “unknown” 
result). Figure 2 shows the results of a compositional check for FSM, where con- 
nected components CCO and CC1 are unrealizable, and CC2 is realizable. 


Diagnosing Unrealizability. The compositional results above suggest that 
the FSM requirements are, as a whole, unrealizable. The next step in the process 
is to try and understand the source(s) of unrealizability. Since only CCO and CC1 
are unrealizable, it suffices to diagnose these independently. Following Fig. 2, the 
user selects the ‘CCO’ tab and clicks the ‘Diagnose’ button. The computation of 
minimal unrealizable cores kicks in, as outlined in Sect. 4, identifying 4 cores. 


Visualizing Unrealizability. The raw artifacts produced by realizability check- 
ing and diagnosis are difficult for the users to digest. Therefore, the ability to 
visualize data in a user-friendly format is necessary, especially for unrealizable 
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specifications. The core of our proposed solution to visualize unrealizability relies 
on the use of chord diagrams [1]. A chord diagram is a graphic representation of 
interrelationships between data, where each individual element is placed along 
the perimeter of a circular construct and relationships are depicted through edges 
between elements. An important feature of chord diagrams is the ability to main- 
tain a clear representation of dependencies through hierarchical edge bundling [28], 
even when the size of data is large. 


% 
% Gs 
SMog, G4 
FSM006 a 

0 G2 
psmo05 _ 

uO 7 ` 


(a) (b) 
(c) (d) 


Fig. 3. (a) Chord Diagram for connected component CCO in FSM. (b) Chord Diagram 
for Infusion Manager. (c) Focused view (one core) for Infusion_Manager. (d) Focused 
view (one requirement) for Infusion Manager. 


Figure 3a shows the chord diagram that is generated for connected component 
CCO in FSM. Requirements and conflicts (i-e., unrealizable cores) define the input 
data to the chord diagram, which depicts each set using a distinguishable arc on 
the circular pattern (left and right arc, respectively). Chords, i.e., edges, connect 
each requirement to the conflicts that it appears in, with each edge being assigned 
a distinct color that matches the color-coded conflicts. 

While hierarchical edge bundling Table 3. Counterexample for conflicting 
helps us maintain a clear total view, requirements [FSM-006] and [FSM-007]. 


it may be the case that the engi- 
ld like to f ti Variable Variable Step Step Step Step Step Step 
neer wou ike to focus on a Partic- amè type 0 1 2 3 4 5 


ular subset of dependencies, related good bool true true true true true true 


to either a particular requirement standby bool false false false false false true 
i ` state int 2 2 2 2 2 2 

or a specific conflict. We enable supported bool true true true true true true 
this through interactive means where STATE it 1 4 5 6 7 0 
FSM-006 bool true true true true true false 


parts of the interface that are not 


FSM-007 bool true true true true true true 


498 A. Katis et al. 


related to the selected element can be filtered out. Figure 2 shows an instance 
where the user has already interacted with the chord diagram for CCO, focusing 
on the unrealizable core containing [FSM-006] and [FSM-007]. The table of 
requirements is dynamically sorted so that relevant requirements appear on the 
top, and are outlined with the color of the corresponding conflict. Additionally, a 
counterexample witnessing the unrealizability of the conflict is displayed. Table 3 
shows the counterexample for requirements [FSM-006] and [FSM-007]. 


state; g å é é é % é 4 r é 
JE © o 
state... 


JE 
standby 
FALSE © 


JE © o -o o -0 
suppor. 


TRUE 
STATE.. 
F Eo 


JE © 
FSM-006 
i 


ESM 007 
Fig. 4. Simulation of conflicting requirements [FSM-006] and [FSM-007]. 


Simulating Conflicting Requirements. Our experience with counterexam- 
ples has indicated that a single execution trace is not enough to truly understand 
interactions between requirements. Therefore, we provide the ability for the user 
to interact with the set of conflicting requirements by using the FRET simulator, 
which we have substantially extended to meet our needs in visualizing conflicting 
requirements. Figure 4 shows how the counterexample (Table 3) for [FSM-006] 
and [FSM-007] is displayed in the simulator window: each line shows the values 
of the input signals as well as the valuation of each of the requirements. 

The counterexample in Table 3 is not the only witness to the unrealizability of 
these requirements. Another example is a trace where requirement [FSM-006] 
holds for 5 consecutive ticks, leading to a violation of requirement [FSM-007] 
at the last tick, assuming that the antecedent of the latter was true at least once 
within the last 5 ticks. By modifying the values of the input variables, a user 
may identify additional witnesses to unrealizability causes. Combined with the 
ability to store and review traces, the simulator makes for an integral element 
towards understanding and repairing unrealizable specifications. 
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6 Case Studies 


6.1 Lift Plus Cruise Aircraft 


This study reports preliminary results on requirements for an autonomous ‘lift 
plus cruise’ concept aircraft.? This aircraft has a hovering vehicle mode, using 
its lifting rotors. From the hover mode, it can transition to a flying forward 
mode, eventually using its rear pusher propeller, and where lift is provided by 
the wing instead of the lifting rotors. Inbetween the hover and forward modes is 
a transitional mode which is a phase of concern for the aircraft engineers. 


Table 4. FRETISH requirements for Lift Plus Cruise from Katis et al. [32]. 


The vehicle shall immediately satisfy vehicle:mode = hover 

H ((! (Y TRUE)) -> vehicle mode = hover) 

While vehicle:mode = hover, the vehicle shall never satisfy gndspeed > 20.0 

H ((vehiclemode = hover) -> (! (gndspeed > 20.0))) 

While vehicle.mode = hover, the vehicle shall eventually satisfy ! rear_propeller 

(H (((! (vehicle_mode = hover)) & (Y (vehicle_mode = hover))) -> (Y (! 
(CC! (! rear_propeller)) S ((! (! rear_propeller)) & ((vehicle_mode = 
hover) & ((! (Y TRUE)) | (Y (! (vehicle mode = hover))))))))))) & CCC! 
[LPC03] ((! (vehicle_mode = hover)) & (Y (vehicle_mode = hover)))) S ((! ((! 
(vehicle mode = hover)) & (Y (vehicle mode = hover)))) & ((vehicle mode 
= hover) & ((! (Y TRUE)) | (Y (! (vehicle mode = hover))))))) -> (! (C! 
(! rear_propeller)) S ((! (! rear_propeller)) & ((vehicle_mode = hover) & 
(CC! (Y TRUE)) | (Y (! (vehicle mode = hover))))))))) 

The vehicle shall always satisfy if (prelnt(hover,vehicle mode) = hover & pre- 
Real(0.0,gndspeed) > 15.0) then vehicle-mode = transitional 


[LPCo1] 


[LPCo2] 


[LPC04] 
(H (((preInt (hover ,vehicle_mode) = hover) & (preReal(0.0,gndspeed) > 
15.0)) -> vehicle_mode = transitional) ) 
The vehicle shall always satisfy if (preInt(hover,vehicle:mode) = transitional & pre- 
[LPCo9] Real(0.0,airspeed) > 100.0) then vehiclemode = forward 


(H (((preInt (hover,vehiclemode) = transitional) & (preReal(0.0,airspeed) 
> 100.0)) -> (vehicle_mode = forward))) 


As of this paper, 11 requirements have been formalized in FRET [32]. A 
subset is shown in Table4, describing the transition relations and constraints 
among various vehicle modes and vehicle motion. Requirement [LPCO1] states 
that the vehicle starts in hover mode. Requirement [LPC04] specifies that if 
the previous mode is hover, and ground speed is greater than 15 knots, then the 
vehicle enters transitional mode. Requirement [LPCO09] states the conditions for 
transitioning to forward mode. Variables hover, transitional and forward are 
specified as distinct integer constants. All of the other variables, e.g., airspeed, 
rear_propeller, are outputs. 


? We acknowledge discussions with John Kaneshige, Michael Feary and the Revolu- 
tionary Vertical Lift Technology team. 
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The first complete set of FRETISH requirements raised concerns, as realiz- 
ability checking yielded non-sensical counterexamples, where at least one require- 
ment between [LPC04] and [LPCO09] was violated in the initial state. We 
quickly identified the issue: both requirements were written using a version of 
the ‘previous’ operator pre which is undefined at the initial state. We addressed 
this by introducing the preInt and preReal operators, which at the initial state 
return the value of their first argument. 

The resulting 11 requirements are in one CC, so we ran analysis in mono- 
lithic mode. The requirements are shown to be realizable in about 8s. As a san- 
ity check for realizability, we experimented with various subsets of the original 
requirements, as well as adding contradictions. A notable example was omitting 
[LPCO1], while modifying [LP-C03] so that in hover mode, the vehicle must fly 
faster than 30 knots. This experiment, unexpectedly to us, led to realizability. 
Further inspection quickly revealed how omitting [LPC01] allows the controlled 
variable vehicle_mode to never enter the hover mode. Including [LPCO1] led 
to unrealizability with minimal conflict [LPC01], [LPC02] and [LPC03]. 


6.2 Generic Infusion Pump 


This study explores 12 formalized requirements, proven unrealizable by Gacek et 
al. [24], of the Infusion Manager subcomponent for a Generic Patient Controlled 
Analgesic (GPCA) infusion pump [44]. The GPCA system originates from the 
Generic Infusion Pump Research project, a joint effort to identify best software 
engineering practices in the development of medical devices [4]. 

Taking advantage of FRETISH’s support for system modes (scope field), 
we derived 26 requirements, as opposed to the original 12 [32]. The increased 
number is a direct product of the declaration of 8 distinct modes, stemming from 
the system variable Current_System_Mode, which was originally of integer type. 
For example, requirement G1 from Gacek et al.: 


G1 (Current System Mode’ > 0) A (Current System Mode’ < 8) 
(Current_System_Mode’ = 0 = Commanded_Flow_Rate’ = 0) 
(Current_System_Mode’ = 1 = Commanded_Flow_Rate’ = 0) 


A 
A 


was rewritten into three requirements: G1, ensures that the system is in at least 
one of the 8 modes at any time, while requirements G12 and G13 ensure that the 
pump’s flow rate is equal to 0 when the system is in mode 0 or 1, respectively. We 
additionally introduced requirements to ensure mutual exclusion between modes, 
something that was not needed with a single mode variable. We used KIND 2 to 
show equivalence between our requirements and the original specification. 

Gacek et al. had already shown that the Infusion Manager requirements are 
unrealizable, verbally attributing unrealizability to a conflict between G1 and 
requirement G7: 


G7 = (System_On A Highest_Level_Alarm = 3) > 
(Commanded_Flow_Rate’ = Flow_Rate_K VO) 
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The authors claimed that the requirements are unrealizable because they dis- 
agree on the value of output Commanded_Flow_Rate under specific conditions. 
However, FRE'T’s diagnostic procedure provided a different answer, identifying 
8 minimal unrealizable cores. Furthermore, the assumed conflict between require- 
ments G1 and G7 does not really exist. While the two requirements do disagree 
on the value for the system output Commanded_Flow_Rate under specific cir- 
cumstances, a realization still exists: one which would never exercise modes 0 or 
1! Nevertheless, the report by Gacek et al. was still on the right track, as part of 
G1 (FRETISH requirement G13) and G7 participate in at least one minimal 
unrealizable core with requirement G11, the latter enforcing the system to enter 
mode 1, given specific system input values: 


G11 = (System_On A Configured < 1) > Current_System_Mode’ = 1 


Figure 3b shows the chord diagram for Infusion Manager, depicting the 8 
minimal unrealizable cores. Figures 3c and 3d show resulting states of the dia- 
gram after the user interacted with it in order to focus on a specific core, or a 
specific requirement, respectively. 


7 Conclusion 


We presented the realizability analysis framework in FRET and demonstrated 
its interactive GUI, which helps users diagnose unrealizable specifications 
through visualizations and simulation of conflicts. The framework employs state- 
of-the-art analysis algorithms that support infinite theories. In the future, we 
plan to extend the tool with recommendations in the form of environment 
assumptions. 
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Abstract. Compositional synthesis relies on the discovery of assump- 
tions, i.e., restrictions on the behavior of the remainder of the system 
that allow a component to realize its specification. In order to avoid los- 
ing valid solutions, these assumptions should be necessary conditions for 
realizability. However, because there are typically many different behav- 
iors that realize the same specification, necessary behavioral restrictions 
often do not exist. In this paper, we introduce a new class of assumptions 
for compositional synthesis, which we call information flow assumptions. 
Such assumptions capture an essential aspect of distributed computing, 
because components often need to act upon information that is available 
only in other components. The presence of a certain flow of information 
is therefore often a necessary requirement, while the actual behavior 
that establishes the information flow is unconstrained. In contrast to 
behavioral assumptions, which are properties of individual computation 
traces, information flow assumptions are hyperproperties, i.e., properties 
of sets of traces. We present a method for the automatic derivation of 
information-flow assumptions from a temporal logic specification of the 
system. We then provide a technique for the automatic synthesis of com- 
ponent implementations based on information flow assumptions. This 
provides a new compositional approach to the synthesis of distributed 
systems. We report on encouraging first experiments with the approach, 
carried out with the BOSYHYPER synthesis tool. 


1 Introduction 


In distributed synthesis, we are interested in the automatic translation of a formal 
specification of a distributed system’s desired behavior into an implementation 
that satisfies the specification [22]. What makes distributed synthesis far more 
interesting than the standard synthesis of reactive systems, but also more chal- 
lenging, is that the result consists of a set of implementations of subsystems, 
each of which operates based only on partial knowledge of the global system 
state. While algorithms for distributed synthesis have been studied since the 
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1990s [10, 18,22], their high complexity has resulted in applications of distributed 
synthesis being, so far, very limited. 

One of the most promising approaches to making distributed synthesis more 
scalable is compositional synthesis [7,9,14,19,23]. The compositional synthesis of 
a distributed system with two processes, p and q, avoids the construction of the 
product of p and q and instead focuses on one process at a time. Typically, it is 
impossible to realize one process without making certain assumptions about the 
other process. Compositional synthesis therefore critically depends on finding 
the assumption that p must make about q, and vice versa: once the assump- 
tions are known, one can build each individual process, relying on the fact that 
the assumption will be satisfied by the synthesized implementation of the other 
process. Ideally, the assumptions should be both sufficient (i.e., the processes 
are realizable under the assumptions) and necessary (i.e., any implementation 
that satisfies the specification would also satisfy the assumptions). Without suffi- 
ciency, the synthesis cannot find a compositional solution; without necessity, the 
synthesis loses valid solutions. While sufficiency is obviously checked as part of 
the synthesis process, it is often impossible to find necessary conditions, because 
the specifications can be realized by many different behaviors. Any concrete 
implementation would lead to a specific assumption; however, this implementa- 
tion is only known once the synthesis is complete, and an assumption that is 
satisfied by all implementations often does not exist. 

In this paper, we propose a way out of this chicken-and-egg type of situation. 
Previous work on generating assumptions for compositional synthesis has focused 
on behavioral restrictions on the environment of a subsystem. We introduce 
a new class of more abstract assumptions that, instead, focus on the flow of 
information. Consider a system architecture (depicted in Fig. la) where two 
processes a and b are linked by a communication channel c, such that a can 
write to c and b can read from c. Suppose also that a reads a boolean input in 
from the environment that is, however, not directly visible to b. We are interested 
in a distributed implementation for a specification that demands that b should 
eventually output the value of input in. Since b cannot observe in, its synthesis 
must rely on the assumption that the value of in will be communicated over the 
channel c by process a. Expressing this as a behavioral assumption is difficult, 
because there are many different behaviors that accomplish this. Process a could, 
for example, literally copy the value of in to c. It could also encode the value, for 
example by writing to c the negation of the value of in. Alternatively, it could 
delay the transmission of in by an arbitrary number of steps, and even use the 
length of the delay to encode information about the value of in. Fixing any such 
communication protocol, by a corresponding behavioral assumption on a, would 
unnecessarily eliminate potential implementations of b. The minimal assumption 
that subsystem a must satisfy is in fact an information-flow assumption, namely 
that b will eventually be able to determine the value of in. 

We present a method that derives necessary information flow assumptions 
automatically. A fundamental difference between behavioral and information flow 
assumptions is that behavioral assumptions are trace properties, i.e., properties 
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of individual traces; by contrast, information flow assumptions are hyperproper- 
ties, i.e., properties of sets of traces. In our example, the assumption that a will 
eventually communicate the value of in to b is the hyperproperty that any two 
traces that differ in the value of in must eventually also differ in c. The precise 
difference between the two traces depends on the communication protocol chosen 
in the implementation of a; however, any correct implementation of a must ensure 
that some difference in b’s input (on channel c) in the two traces occurs, so that b 
can then respond with a different output. 

Once we have obtained information flow assumptions for all of the subsys- 
tems, we proceed to synthesize each subsystem under the assumption generated 
for its environment. It is important to note that, at this point, the implemen- 
tation of the environment is not known yet; as a result, we only know what 
information will be provided to process b, but not how. This also means that 
we cannot yet construct an executable implementation of the process under 
consideration; after all, this implementation would need to correctly decode the 
information provided by its partner processes. Clearly, we cannot determine how 
to decode the information before we know how the implementation of the sending 
process encodes the information! 

Our solution to this quandary is to synthesize a prototype of an implementa- 
tion for the process that works with any implementation of the sender, as long 
as the sender satisfies the information flow requirement. The prototype differs 
from the actual implementation in that it has access to the original (unencoded) 
information. Because of this information the prototype, which we call a hyper 
implementation, can determine the correct output that satisfies the specification. 
Later, in the actual implementation, the information is no longer available in its 
original, unencoded form, but must instead be decoded from the communica- 
tion received from the environment. However, the information flow assumption 
guarantees that this is actually possible, and access to the original information 
is, therefore, no longer necessary. 

In Sect. 2, we explain our approach in more detail, continuing the discussion 
of the bit transmission example mentioned above. The paper then proceeds to 
make the following contributions: 


— We introduce the notion of necessary information flow assumptions (Sect. 4.1) 
for distributed systems with two processes and present a method for the 
automatic derivation of such assumptions from process specifications given in 
linear-time temporal logic (LTL). 

— We strengthen information flow assumptions to the notion of time-bounded 
information flow assumptions (Sect. 4.2), which characterizes information that 
must be received in finite time. We introduce the notion of uniform distin- 
guishability and prove that uniform distinguishability guarantees the necessity 
of the information flow assumption. 

— We introduce the notion of hyper implementations (Sect.5) and provide a 
synthesis method for their automatic construction. We also explain how to 
transform hyper implementations into actual process implementations. 
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(c) The hyper implementation of a (d) The implementation of b 


Fig. 1. The distributed system of the bit transmission protocol. The architecture is 
given in (a), the hyper implementation of b in (b), the hyper implementation of a in(c), 
and the resulting local implementation of b in (d). 


— We present a more restricted practical approach (Sect. 6) that simplifies the 
synthesis for cases where the information flow assumption refers to a finite 
amount of information. 

— Finally, we report on encouraging experimental results (Sect. 7). 


2 The Bit Transmission Problem 


We use the bit transmission example from the introduction to motivate our app- 
roach. The example consists of two processes a and b that are combined into 
the distributed architecture shown in Fig. 1a. Process a observes the (binary) 
input of the environment through variable in and can communicate with the 
second process b via a channel (modeled by the shared variable c). Process b 
observes its own local input from a and has a local output out. We are inter- 
ested in synthesizing an implementation for our distributed system consisting 
of two strategies, one for each process, whose combined behavior satisfies the 
specification. In this example, the specification for process b is to transmit the 
initial value of in, an input of a, to b’s own output; this is expressed by the 
linear-time temporal logic (LTL) formula yp = in e out. The specification 
does not restrict a’s behavior, and so Ya = true. Since the value of out is con- 
trolled by b, whereas in is determined by the environment and observed by a, 
this specification forces b to react to an input that b neither observes nor con- 
trols. To satisfy the goal, out must remain false forever if in is initially false, 
while out must eventually become true at least once if in starts with value true. 
Indeed, in order to set out to true, process b must know that in is initially 
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true, which can only be satisfied via information flow from a to b. We can cap- 
ture this information flow requirement as the following hyperproperty: For every 
pair of traces that disagree on the initial value of in, process a must (eventu- 
ally) behave differently on c. The requirement can be expressed in HyperLTL 
by the formula Y = Va,7'.(in, + inr) > (cr cz’). The information flow 
requirement does not restrict a to behave in a particular manner; the encoding 
of the information about in on the channel c depends on a’s behavior. Under the 
assumption that a will behave according to the information flow requirement V, 
one can synthesize a solution of b that is correct for every implementation of a. 
Given its generality, we call such a solution a hyper implementation. The hyper 
implementation of process b is shown in Fig. 1b. Since the point in time when 
the information is received by b is unknown during the local synthesis process, 
an additional auxiliary boolean variable t is added to the specification of b. This 
variable signals that the information has been transmitted and is later derived 
by a’s implementation. Setting out to true is only allowed after t is observed by 
process b. When the hyper implementation is composed with the actual imple- 
mentation of a, as shown in Fig. 1c, both local specifications are satisfied. The 
resulting local implementation of b, depicted in Fig. 1d, branches only on local 
inputs and, together with a, satisfies the specification. While changing state bo 
to b1, process b cannot distinguish in from ~in. It has to wait for one time step, 
i.e., the first difference in outputs of process a, to observe the difference in the 
shared communication channel. The value of t is obtained from a’s implemen- 
tation and set to true with the first difference in c, forbidding the edge from hb 
to h? in the local implementation of b. 


3 Preliminaries 


Architectures. For ease of exposition we focus in this paper on systems with two 
processes. Let V be a set of variables. An architecture with two black-box processes 
p and q is given as a tuple (Ip, Ig, Op, Oq, Ie), where Ip, Iq, Op, Oq, and I, are all 
subsets of V. Op and O, are the output variables of p and q. Oe are the output 
variables of the uncontrollable environment. The three sets Op, Oq and Oe form a 
partition of V. I, and I, are the input variables of processes p and q, respectively. 
For each black-box process, the inputs and outputs are disjoint, i.e., [, NO, = @ and 
I, O; = 0. The inputs I, and I, of the black-box processes are all either outputs 
of the environment or outputs of the other black-box process, i.e., Ip C Og U Oc 
and Ig C Op U Oe. We assume that all variables are of boolean type. For a set 
V CY, every subset V’ C V defines a valuation of V, where the variables in V’ 
have value true and the variables in V \ V’ have value false. 


Implementations. An implementation of an architecture (Ip, Iq, Op, Oq, Ie) is 
a pair (Sp,Sq), consisting of a strategy for each of the two black-box pro- 
cesses. A strategy for a black-box process p is a function sp : (2/”)* — (29) 
that maps finite sequences of valuations of p’s input variables (i.e., histories 
of inputs) to a valuation of p’s output variables. The (synchronous) composi- 
tion sp||sq of the two strategies is the function s : (2°°)* — (2”) that maps 
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finite sequences of valuations of the environment’s output variables to valua- 
tions of all variables: we define s(e) = sp(€) U s,(e) and, for v € (22%)*, x € 2%, 
s(u- x) = (sp(fp(v)) U Sq(fg(v)) Ux), where fp and fq map sequences of envi- 
ronment outputs to sequences of process inputs with fple) = €, fplv : £) = 


fp(v)-((z U 8q(fa(v))) A Ip) and fale) = €, falv) = fp(v)-((z U Sp(fp(v))) N Iq). 


Specifications. Our specifications refer to traces over the set V of all variables. 
In general, for a set V C V of variables, a trace over V is an infinite sequence 
£ozız2... E€ (2”)” of valuations of V. A specification y C (2”)” is a set of 
traces over V. Two traces of disjoint sets V, V’ C V can be combined by forming 
the union of their valuations at each position, i.e., r9%1%2...U yoyiy2.-- = 
(zo U yo)(x1ı U yi) (a2 U yo).... Likewise, the projection of a trace onto a set 
of variables V’ C V is formed by intersecting the valuations with V’ at each 
position: rox 22... |yr= (zo N V’)(a1 NV") (aaN V’)... 

For our specification language, we use propositional linear-time temporal 
logic (LTL) [21], with the set V of variables as atomic propositions and the usual 
temporal operators Next O, Until U, Globally Q, and Eventually ©. System 
specifications are given as a conjunction Yp A Yq of two LTL formulas, where 
Pp refers only to variables in Op U Oe, i.e., the formula relates the outputs of 
process p to the outputs of the environment, and y, refers only to variables in 
O,UOc¢. The two formulas represent the local specifications for the two black-box 
processes. An implementation s = (Sp, Sq) defines a set of traces 


Traces(Sp, Sq) = {to%1-.. € (2°)” | zk = s(iot1 ...%%-1) for all k € N 
for some ipgizig... € (2¢)”}. 


We say that an implementation satisfies the specification if the traces of the 
implementation are contained in the specification, i.e., Traces(sp, Sq) C ¢. 


The Synthesis Problem. Given an architecture and a specification y, the synthe- 
sis problem is to find an implementation s = (Sp, Sq) that satisfies y. We say that 
a specification y is realizable in a given architecture if such an implementation 
exists, and unrealizable if not. 


Hyperproperties. We capture information-flow assumptions as hyperproperties. 
A hyperproperty over V is a set H C 2(2")" of sets of traces over V [6]. An imple- 
mentation (sp, Sq) satisfies the hyperproperty H iff its traces are an element of H, 
i.e., Traces(Sp, Sq) € H. A convenient specification language for hyperproperties 
is the temporal logic HyperLTL [5]. HyperLTL extends LTL with quantification 
over trace variables. The syntax of HyperLTL is given by the following grammar 
p := Yr. o | dry] Y and Y := vr | Y | YAY | OW | YUY where vr € V 
is a variable and m € T is a trace variable. Note that the output variables are 
indexed by trace variables. The quantification over traces makes it possible to 
express properties like “Y must hold on all traces” , which is expressed by Vz. w. 
Dually, one can express that “there exists a trace on which w holds”, denoted 
by Jr. w. The temporal operators are defined as in LTL. 
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In some cases, a hyperproperty can be expressed in terms of a binary rela- 
tion on traces. A relation R C (2”)” x (2”)” of pairs of traces defines the 
hyperproperty H, where a set T of traces is an element of H iff for all pairs 
T, n’ € T of traces in T it holds that (m, r’) € R. We call a hyperproperty defined 
in this way a 2-hyperproperty. In HyperLTL, 2-hyperproperties are expressed 
as formulas with two universal quantifiers and no existential quantifiers. A 2- 
hyperproperty can equivalently be represented as a set of infinite sequences 
over the product alphabet X?: for a given 2-hyperproperty R C XY x XY, 
let R’ = {(00,06)(01,04)--- | (C001 ..., 0904...) € R}. This representation is 
convenient for the use of automata to recognize 2-hyperproperties. 


4 Necessary Information Flow in Distributed Systems 


In reactive synthesis it is natural that the synthesized process reacts to different 
environment outputs. This is also the case for distributed synthesis, where some 
outputs of the environment are not observable by a local process and the hidden 
values must be communicated to the process. In the following we show when 
such information flow is necessary. 


4.1 Necessary Information Flow 


Our analysis focuses on pairs of situations for which the specification dictates 
a different reaction from a given black-box process p. Such pairs imply the 
need for information flow that will enable p to distinguish the two situations: 
if p cannot distinguish the two situations, it will behave in the same manner 
in both. Consequently, the specification will be violated, no matter how p is 
implemented, in at least one of the two situations. A process p needs to satisfy 
a local specification pp, which relates its outputs O, to the outputs Oe of the 
environment. (Recall that Oe may contain inputs to the other black-box process.) 
We are therefore interested in pairs of traces over Oe for which yp does not admit 
a common valuation of Op. We collect such pairs of traces in a distinguishability 
relation, denoted by Ap: 


Definition 1 (Distinguishability). Given a local specification pp for pro- 
cess p, the distinguishability relation A, is the set of pairs of traces over Oc 
(environment outputs) such that no trace over Op, satisfies pp in combination 
with both traces in the pair. Formally: 


Ap = {(te, Te) €(2°°)* x (2°°)” | 
Vrp E (20°)”. if meL tp E pp then TLU ty É pp } 


By definition of A,, process p must distinguish Te from 74, because it cannot 
respond to both in the same manner. In our running example, Ay consists of all 
pairs of sequences of values of in that differ in the first value of in. Process b must 
act differently in such situations: if in is initially true then b must eventually set 
out to true, while if it starts as false, then b must keep out always set to false. 
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In general, a black-box process p must satisfy its specification pp despite hav- 
ing only partial access to Oe. The distinguishability relation therefore directly 
defines an information flow requirement: In order to satisfy pp, enough infor- 
mation about Oe must be communicated to p via its local inputs J, to ensure 
that p can distinguish any pair of traces in A,. We formalize this information flow 
assumption as the following 2-hyperproperty, which states that if the outputs of 
the environment in the two traces must be distinguished, i.e., the projection on 
Oe is in Ap, then there must be a difference in the local inputs Tp: 


Definition 2 (Information flow assumption). The information flow 
assumption Yp induced by Ap is the 2-hyperproperty defined by the relation 


Ry, = {(m, 7") € (2”)* x (2")* | (mlo. T lo.) € Ap then Tlr, # Tlr} 


In our running example, the information flow assumption for process b 
requires that on any two executions that disagree on the initial value of in, the 
values communicated to b over the channel c must differ at some point. Observe 
that the information flow assumption pp specifies neither how the information 
is to be encoded on c nor the point in time when the different communica- 
tion occurs. However, Yp requires that the communication differs eventually if 
the initial values of in are different. Moreover, notice that both A, and Wp are 
determined by p’s specification yp. The following theorem shows that the infor- 
mation flow assumption 7p» is a necessary condition, the proof can be found in 
the full version of this paper [12]. 


Theorem 1. Every implementation that satisfies the local specification pp for p 
also satisfies the information flow assumption Wp. 


4.2 Time-Bounded Information Flow 


We now introduce a strengthened version of the information flow assumption. As 
shown in Theorem 1, the information flow assumption is a necessary condition 
for the existence of an implementation that satisfies the specification. Often, 
however, the information flow assumption is not strong enough to allow for the 
separate synthesis of individual components in a compositional approach. 
Consider again process b in our motivating example. The information flow 
assumption guarantees that any pair of traces that differ in the initial value of 
the global input in will differ at some point in the value of the channel c. This 
assumption is not strong enough to allow process b to satisfy the specification 
that b must eventually set out to true iff the initial value of in is true. Suppose 
that in is true initially. Then b must at some point set out to true. Process b 
can only do so when it knows that the initial value of in is true. The information 
flow assumption is, however, too weak to guarantee that process b will eventually 
obtain this knowledge. To see this, consider a hypothetical behavior of process 
a that sets c forever to true, if in is true in the first position, and if in is false 
then a keeps c true for n — 1 steps, where n > 0 is some fixed natural number, 
before it sets c to false at the n‘® step. This behavior of process a satisfies the 


Information Flow Guided Synthesis 513 


information flow assumption for any number n; however, without knowing n, 
process b does not know how many steps it should wait for in to become false. 
If, at any point in time t, the channel c has not yet been set to false, process 
b can never rule out the possibility that the initial value of in is true; it might 
simply be the case that t < n and, hence, the time when c will be set to false 
still lies in the future of t! Hence, process b can never actually set out to true. 

To address this, we present a finer version of the distinguishability relation 
from Definition! that we call teme-bounded distinguishability. Recall that by 
Definition 1, a pair (me, T4) is in the distinguishability relation A, if every output 
sequence Tp for p violates p’s specification Yp when combined with at least one 
of the input sequences Te or Tt}. Equivalently, if Yp is satisfied by mp combined 
with Te, then it is violated when 7, is combined with 7/4. Observe that for p to 
behave differently in two scenarios, a difference must occur at a finite time t. 
Clearly, this will only happen if p’s input shows a difference in finite time. To 
capture this, we say that a pair (mte, 74) of environment output sequences is in the 
time-bounded distinguishability relation if the violation with 7/ is guaranteed to 
happen in finite time. In order to avoid this violation, process p must act in finite 
time, before the violation occurs on 7/4. We say that a trace m finitely violates 
an LTL formula y, denoted by 7 Ff y, if there exists a finite prefix w of m such 
that every (infinite) trace extending w violates y. 


Definition 3 (Time-bounded distinguishability). Given a local specifica- 
tion pp for process p, the time-bounded distinguishability relation Ap is the set 
of pairs (ne, nL) E (22)” x (2%)” of traces of global inputs such that every 
trace of local outputs Tp E Op either violates the specification pp when combined 
with Te, or finitely violates p’s local specification pp when combined with m1: 


Ap = {(me, Te) € (20*)” x (29°) | 
Vrp E (297)”. if tet E pp then mh U ty Éf Pp } 


Note that, unlike the distinguishability relation A,, the time-bounded distin- 
guishability relation A, is not symmetric: For (me, T4), the trace mi LI mp has to 
finitely violate pp, while the trace me U mp only needs to violate pp in the infi- 
nite evaluation. As a result, the corresponding time-bounded information flow 
assumption will also be asymmetric: we require that on input me, process p 
eventually obtains the knowledge that the input is different from 71. For input 
r!l, we do not impose such a requirement. The intuition behind this definition is 
that on environment output 7/4, process p must definitely produce some output 
that does not finitely violate pp. This output can safely be produced without 
ever knowing that the input is r}. However, on input Te, it becomes necessary 
for process p to eventually deviate from the output that would work for 7/. In 
order to safely do so, p needs to realize after some finite time that the input is 
not 7. In our running example, me would be an input in which in is initially 
true, while r will be one in which it starts out being false. 

Suppose we have a function t : (20¢°)” — N that identifies, for each environ- 
ment output Te, the time t(me) by which process p is guaranteed to know that 
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the environment output is not 71. We define the information flow assumption 
for this particular function t as a 2-hyperproperty. Since we do not know ¢ in 
advance, the time-bounded information flow assumption is the (infinite) union 
of all 2-hyperproperties corresponding to the different possible functions t. 


Definition 4 (Time-bounded information flow assumption). Given the 
time-bounded distinguishability relation Ap for process p, the time-bounded infor- 
mation flow assumption x, for p is the (infinite) union over the 2-hyperproperties 
induced by the following relations R+, for all possible functions t : (29«)” — N: 


R, = {(a, T") € (2”)” x (2”)* | 
if (nlo. Tlo.) E Ap, then n(0...t(tlo.)\Li, #7 n’[0...t(tlo.)|L1, } 


Unlike the information flow assumption (cf. Theorem 1), the time-bounded 
information flow assumption is not in general a necessary assumption. Consider 
a modification of our motivating example, where there is an additional environ- 
ment output start, which is only visible to process a, not to process b. The 
previous specification p, is modified so that if in is true initially, then out must 
be true two steps after start becomes true for the first time; if in is false initially, 
then out must become false after two positions have passed since the first time 
start has become true. The specification Ya ensures that the channel c is set to 
true until start becomes true. Clearly, this is realizable: if in is false initially, 
process a sets c to false once start becomes true, otherwise c stays true forever. 
Process b starts by setting out to true. It then waits for c to become false, and, 
if and when that happens, sets out to false. In this way, process b accomplishes 
the correct reaction within two steps after start has occurred. However, the 
function t required by the time-bounded information flow assumption does not 
exist, because the time of the communication depends on the environment: the 
prefix needed to distinguish an environment output me, where in is true initially 
from an environment output 7/,, where in is false initially, depends on the time 
when start becomes true on Th. 

We now characterize a set of situations in which the time-bounded informa- 
tion flow requirement is still a necessary requirement. For this purpose we con- 
sider time-bounded distinguishability relations where the safety violation occurs 
after a bounded number of steps. We call such time-bounded distinguishability 
relations uniform; the formal definition follows below. 


Definition 5 (Uniform distinguishability). A time-bounded distinguishabil- 
ity relation A, is uniform if for every trace Te € (2%)” of global inputs, and 
every trace Tp € (29°) of local outputs of p, there exists a natural number n € N 
such that for all 1, € (29¢)” s.t. (te, TL) € Ap if TeLity E Pp then TLUTp Én Pp. 


Theorem 2. Let A, be a uniform time-bounded distinguishability relation 
derived from process p’s local specification pp. Every computation tree that sat- 
isfies pp also satisfies the time-bounded information flow assumption Xp. 


The proof of Theorem 2 can be found in the full version of this paper [12]. 
The relations presented in this section as well as the uniformity check can be 
represented by and verified with automata, also shown in [12]. 
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5 Compositional Synthesis 


We now use the time-bounded information flow assumptions to split the dis- 
tributed synthesis problem for an architecture (Ip, Ig, Op, Oq, Ie) into two sepa- 
rate synthesis problems. The local implementations are then composed and form 
a correct system, whose decomposition returns the solution for each process. 


5.1 Constructing the Hyper Implementations 


We begin with the synthesis of local processes. Let A, and Ag be the time- 
bounded distinguishability relations for p and q, and let Xp and xq be the 
resulting time-bounded information flow assumptions. In the individual syn- 
thesis problems, we ensure that process p provides the information needed by 
process q, i.e., that the implementation of p satisfies Xq, and, similarly, that q 
provides the information needed by p, i.e., q’s implementation satisfies Xp- 

We carry out the individual synthesis of a process implementation on trees 
that branch according to the input of the process (including tp) and the envi- 
ronment’s output. In such a tree, the synthesized process thus has access to full 
information. We call this tree a hyper implementation, rather than an implemen- 
tation, because the hyper implementation describes how the process will react to 
certain information, without specifying how the process will receive information. 
This detail is left open until we know the other process’ hyper implementation: at 
that point, both hyper implementations can be turned into standard strategies, 
which are trees that branch according to the process’ own inputs. 


Definition 6 (Hyper implementation). Let p and q be processes and e be 
the environment. A 20cV/>U{te} branching 207U{*«} -labeled tree hp is a hyper 
implementation of p. 


Since the hyper implementation has access to the full global information, 
while the time-bounded information flow assumption only guarantees that the 
relevant information arrives after some bounded time, the strategy has “too 
much” information. We compensate for this by introducing a locality condition: 
on two traces (7,7) E Ap in the distinguishability relation of process p, as long 
as the input to the process from the external environment is identical, process 
p’s output must be identical until tp happens (which signals that the bound for 
the transmission of the information has been reached). For traces (me, T4) ¢ Ap 
outside the distinguishability relation, process p’s output must be identical until 
there is a difference in the input to process p or in the value of tp. 


Definition 7 (Locality condition). Given the time-bounded distinguishabil- 
ity relation A, for process p, the locality condition np for p is the 2-hyperproperty 
induced by the following relation R: 
R= {(1, 7’) E (20-UIpU{tp} jw x (20cUIpUttn } jw | 
if (nlo. T lo.) € Ap, then T[0...t]lo, = T'[0...t]lo, and 
if (nlo. Tlo.) Z Ap, then n(0...t'Jlo, = n'(0...t'JLo, } 
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where t is the smallest natural number such that tp € n{0...t] or m[0...t] Lr, # 
n'[t] lr, (and œ if no such t exists), and t' is the smallest natural number such 
that 7[0...t"] Lr, 7’[0...t7] Lz, or 70...) lt} # T{0..t] Lisp} (and œ if no 
such t exists). 


We now use HyperLTL to formulate the locality condition for process b in 
our running example. Based on the time-bounded distinguishability relation Ap, 
which relates every trace with in = true in the first step to all traces on which 
in = false holds there, we can write the locality condition: 


Yr, 7’ (ing \ sing) > ((tr V Cr Cx’) R(out, © out )) 


Alin, A ninr )) > (tr ta V Cr e Cr) R(out, > outy )) 


The order in the formula is analogous to the order in Definition 7. For all pairs 
of traces that are in the distinguishability relation, i.e., in is true on 7 and false 
on 7’, the outputs being equivalent on both traces can only be released by t on 
trace 7 or by a difference in the local inputs (c). Moreover, if the traces are not 
in the distinguishability relation, i.e., =—(inr \—7in,-), then only a difference in t 
or c can release out to be equivalent on both traces. With the locality condition 
at hand, we define when a hyper implementation is locally correct: 


Definition 8 (Local correctness of hyper implementations). Let p and 
q be processes, let pp be the local specification of p, let np be its locality condition, 
and let Xq be the information flow assumption of q. The hyper implementation 
hp of p is locally correct if it satisfies Pp, Np, and Xq. 


The specification gp is a trace property, while 7, and x, are hyperproperties. 
Since all properties that need to be satisfied by the process are guarantees, it 
is not necessary to assume explicit behaviour of process q to realize process p. 
Local correctness relies on the guarantee that the other process satisfies the 
current process’ own information flow assumption. Note that both the locality 
condition and the information flow assumption for p build on the time-bounded 
distinguishability relation of p. 


5.2 Composition of Hyper Implementations 


The hyper implementations of each of the processes are locally correct and satisfy 
the information flow assumptions of the other process respectively. However, the 
hyper implementations have full information of the inputs and are dependent 
on the additional variables tp and tg. To construct practically executable local 
implementations, we first compose the hyper implementations into one strategy. 


Definition 9 (Composition of hyper implementations). Let p and q be 
two processes with hyper implementations given as infinite 20¢U»{*»} -branching 
2OrU{ta} labeled tree hp for process p, and an infinite 20c%4{tat_branching 


2OrU{te} labeled tree hq for process q. 
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3, (he, h3) , he 
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> 
in T 
* 
3, (he, hb) ahe 


Fig. 2. The composition of the hyper implementations of a in Fig. 1c and b in Fig. 1d. 
The states are labeled with the combination of states that can be reached for both 
processes. 


Given two hyper implementations hp and hg, we define the composition h = 
hy||hg to be a 2%-branching 2074°s-labeled tree, where h(v) = (hp(fp(v)) U 
Ng(fa(v))) A (Op U Og) and fp, fq are defined as follows: 


fp(6) =¢ fp(v -x)= fp(v) ‘(an Ip) U (hq(fa(v)) N (Ip U {tp})) 
fale) =€ faw -x)= fa(v) ‘(fan Iq) U (hp(fp(v)) N (Iq U {tq})) 


If each hyper implementation satisfies the time-bounded information flow 
assumption of the other process, then there exists a strategy for each process 
(given as a tree that branches according to the local inputs of the process), such 
that the combined behavior of the two strategies corresponds exactly to the 
composition of the hyper implementations. 

The composition of the hyper implementations of the bit transmission proto- 
col is shown in Fig. 2. The initial state is the combination of both process’s initial 
states with the corresponding outputs. We change the state after the value of in 
is received. While process a directly reacts to in, process b cannot observe its 
value, and the composition can either be in hb or h?. Both states have the same 
output. In the next step, process a communicates the value of in by setting c to 
true or false, such that the loop states h¢,h* and h$,h8 are reached. 

The local strategies of the processes are constructed from the composed hyper 
implementations. As an auxiliary notion we introduce the knowledge set: the set 
of finite traces in the composition that cannot be distinguished by a process. 


Definition 10 (Knowledge set). Let p and q be two processes with composed 
hyper implementations h = hp||hg. For a finite trace v € (2'»)* of inputs to p, 
we define the knowledge set K,(v) to be 


K,(v) = {w | w is a finite trace of (2°°)* and f,(w) = v}. 
Lemma 1. For all sv,v' € (2/°)", if K,(v) = Kp(v’) then h(v) Lo,= h(v’) lop: 


The proof of Lemma 1 can be found in the full version of this paper [12]. The 
local strategies from the composed hyper implementations are then defined as 
follows: 
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Definition 11 (Local strategies from hyper implementations). Let p 
and q be two processes with time-bounded information flow assumptions Xp and 
Xq; and h = hy||hq be the composition of their hyper implementations. For 
j € {p,q} the strategy sj, represented as a 2" -branching 2°3-labeled tree for 
process j, is defined as follows: 


soi, if |Kj(v)| =0 


sj(e) =€ h(min(K;(v))) Lo, if |Kj(v)| > 0 


where min(K;(v)) is the smallest trace based on an arbitrary order over K;(v). 


The base case of the definition inserts a label for unreachable traces in the 
composed hyper implementation. For example, the local inputs I,\O-. are deter- 
mined by są, and not all input words in (2/7)* are possible. Process p’s local 
strategy s, can discard these input words. The second case of the definition 
picks the smallest trace in the knowledge set and computes the outputs from h 
that are local to a process. Intuitively, the outputs of h have to be the same for 
every trace that a process considers possible in the composed hyper implemen- 
tations. We therefore pick one of them, compute the output of the composed 
hyper-strategy, and restrict the output to the local outputs of the process. The 
following theorem states the correctness of the construction in Definition 11. 


Theorem 3. Let p and q be two processes with time-bounded information flow 
assumptions Xp and Xq, let h = hp||hq be the composition of their hyper imple- 
mentations, and sp and sq be their local strategies. Then, for all v € (2°+)* it 
holds that h(v) = Sp(gp(v)) U Sq(gq(v)) where gp, gq are defined as follows: 


Ip(€) = Ipv -£)= Ip(v) ‘(an Ip) U (sq(g9a(v)) N Ip) 
gqa(€) =e galv -£) = galv) ‘(an Tq) U (Sp(G9p(v)) N I) 


The proof is inductive over the words v € (2?¢)* and can be found in the full 
version of this paper [12]. Combining all definitions and theorems of the previous 
sections, we conclude with the following corollary. 


Corollary 1. Let (Ip, Iq, Op, Oq, Ie) be an architecture and p = pp A pq be a 
specification. If the hyper-strategies h, and hg are locally correct, then the imple- 
mentation (Sp, Sq) satisfies p. 


6 A More Practical Approach 


A major disadvantage of the synthesis approach of the preceding sections is that 
the hyper implementations are based on the full set of environment outputs; as a 
result, hyper implementations branch according to inputs that are not actually 
available; this, in turn, results in our introduction of the locality condition. 

In this section, we develop a more practical approach, where the branching 
is limited to the information that is actually available to a process: this includes 
any environment output directly visible to the process and, additionally, the 
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information the process is guaranteed to receive according to the information 
flow assumption. As a result, the synthesis of the process is sound without need 
for a locality condition. We develop this approach under two assumptions: First, 
we assume that the time-bounded information flow assumption only depends on 
environment outputs the sending process can actually see; second, we assume 
that the time-bounded information flow assumption can be decomposed into a 
finite set of classes in the following sense: For a trace m of environment outputs, 
the information class [7], describes that, on the trace 7, the process p eventually 
needs to become aware that the current trace is in the set [r]. The information 
class is obtained by collecting all traces that are not related to m in the time- 
bounded distinguishability relation. 


Definition 12 (Information classes). Given a time-bounded distinguishabil- 
ity relation A, for process p, the information class [7], of a trace m over Oe is 
the following set of traces: [mp = (20*)” \ {m € (2%)* | (a, 7’) € Ap} 


The next definition relativizes the specification of the processes for a par- 
ticular information class, reflecting the fact that the process does not know the 
actual environment output, but only its information class; hence, the process 
output needs to be correct for all environment outputs in the information class. 


Definition 13 (Relativized specification). For a process p with specification 
Pp and an information class c, the relativized specification Pp, is the following 
trace property over (Ip N Oe) U Op: 


Pre = {Te U Tp | Te E (270°), mp E (20) s.t. Yre E€ c. T, U Tp E Pp} 


The component specification, which is the basis for the synthesis of the pro- 
cess, must take into account that the process does not know the information class 
in advance; the behavior of the other process will only eventually reveal the infor- 
mation class. Let [C be the set of information classes for process p. Assume that 
this set is finite. We now replace the inputs of the process that come from the 
other process with new auxiliary input channels JC as new inputs. In the hyper 
implementation, receiving such an input reveals the information class to the pro- 
cess. In the actual implementation, the information class will be revealed by the 
actual outputs of the other process that are observable for p. The component 
specification requires that the processes satisfy the relativized specification under 
the assumption that the information class is eventually received. We encode this 
assumption as a trace condition p, which requires that exactly one of the ele- 
ments of IC eventually occurs. 


Definition 14 (Component specification). For process p with specification 
Pp, the component specification (pp) over (Ip N Oe) UIC UO, is defined as 


(pp) = {r € (QU rMOe)UICUOp yw | if mH ap then rE \ (Oc Pp} 
cElC 
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sico A mic, 
in inp. T 


Fig. 3. The architecture used for our experiments in (a) where the number outputs, 
inputs, and communication channels can vary. Figure 3b shows the implementation of 
process 6 for its bit transmission component specification. 


where w is the following trace property over (Ip N Oe) UIC U Op: 


w={nre (20FpNOe UICUO, yw | Jr’ € (206), 7 li,n0.= ae (ene, 


and mF S/n") and exactly one element of IC occurs on m} 


The component specification allows us to replace the locality condition (Def- 
inition 7), which is a hyperproperty, with a trace property. Note, however, that 
the process additionally needs to satisfy the information flow assumption of the 
other process, which may in general depend on the full set Oe of environment 
outputs. This would require us to synthesize the process on the full set Oe, and 
to re-introduce the locality condition. In practice, however, the information flow 
assumption of one process often only depends on the information of the other 
process. In this case, it suffices to synthesize each process based only on the 
locally visible environment outputs. 

Figure 3b shows the implementation of b for its component specification (yp). 
In contrast to its hyper implementation (cf. Fig. 1b), it does not branch according 
to in and tp, but only variables in JC. The specification is encoded as the 
following LTL formula: 


(pb) = (ico V O~ici) AO((ico V ici) 
= ((Qico + Oout) A (ic; > D-out)) 


The left hand side of the implication represents the assumption Y, while the right 
hand side specifies the guarantee for each information class. The composition 
and decomposition can be performed analogously to the hyper implementations, 
where we map the value of ic to the values of the communication variables. We 
construct the automata for component specifications in the full version of this 
paper [12]. 
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7 Experiments 


The focus of our experiments is on the performance of the compositional synthe- 
sis approach compared to non-compositional synthesis methods for distributed 
systems. While the time-bounded information flow assumptions and the com- 
ponent specification can be computed automatically by automata construc- 
tions, we have, for the purpose of these experiments, built them manually and 
encoded them as formulas in HyperLTL or LTL, which were then entered to 
the BOSY/BOSYHYPER [11] synthesis tool’. Our experiments are based on the 
following benchmarks: 


— AC. Atomic commit. The atomic commitment protocol specifies that the 
output of a local process is set to true iff the observable input and the unob- 
servable inputs are true. We only consider one round of communication, the 
initial input determines all values. The parameter shows how many input 
variables each process receives, Par. = 1 for the running example. 

— EC. Eventual commit. The atomic commit benchmark extended to eventual 
inputs - if all inputs (independently of each other) eventually become true, 
then there needs to be information flow. 

— SA. Send all. Every input of the sender is relevant for the receiver. If an 
input is set to true, it will eventually be communicated to the receiver. The 
parameter represents the number of input values and therefore the number 
of information classes. 


Table 1 shows the performance of the compositional synthesis approach. The 
column architecture (Arch.) determines for each benchmark if the information 
flow is directional (dir.) or bidirectional (bidir.). Column (Inflow send) indicates 
the running time for the sending process; where applicable, column (Inflow rec.) 
indicates the running time for the synthesis of the process that only receives 
information. We compare the compositional approach to BOSYHYPER, based 
on a standard encoding of distributed synthesis in HyperLTL (Inc. BoSy), and 
a specialized tool for distributed synthesis [2] (Distr. BoSy). All experiments 
were performed on a MacBook Pro with a 2,8GHz Intel Quad Core processor 
and 16GB of RAM. The timeout was 30 min. 

Information flow guided synthesis outperforms the standard approaches, 
especially for more complex components. For example, in the atomic commit- 
ment benchmark, scaling in the number of inputs does not impact the synthesis 
of the local processes, while Distr. BoSy eventually times out, and the running 
time of Inc. BOSy increases faster than for the information flow synthesis. For 
all approaches, the Send All benchmark is the hardest one to solve. Here, each 
input that will eventually be set needs to be eventually sent, which leads to non- 
trivial communication over the shared variables and an increased state space 
to memorize the individual inputs. Nevertheless, the information flow guided 
synthesis outperforms the other approaches and times out with parameter 3 


1 The experiments are available at https: //doi.org/10.6084/m9.figshare. 19697359. 
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Table 1. The results of the experiments with execution times given in seconds. A cell 
is highlighted if it was faster than the other approaches, where the sum of synthesis 
times for both sender and receiver is taken as reference. 


Bench. | Arch. | Par. | Inflow send. | Inflow rec. Distr.BoSy | Inc. BoSy 
AC dir 1 0.92 0.70 1.41 2.31 
dir 2 0.36 1.28 2.86 2.30 
dir 3 0.92 0.68 2.46 2.55 
dir 4 0.92 0.79 720.60 3.41 
dir 5 0.92 0.68 TO 9.27 
bidir 1 1.45 - 0.96 9.27 
bidir 2 2.49 - TO TO 
bidir 3 79.18 - TO TO 
bidir 4 TO - TO TO 
EC dir 1 0.68 1.87 0.92 2.556 
dir 2 0.94 1.85 0.96 3.90 
dir 3 202.09 TO TO TO 
dir 4 TO TO TO TO 
bidir 1 3.77 - 4.63 147.46 
bidir 2 TO - TO TO 
SA dir 1 1.31 0.92 2.21 1.579 
dir 2 1.78 0.92 27.47 TO 
dir 3 TO 1.08 TO TO 


because BOSYHYPER cannot cope with the number of states needed. Synthesiz- 
ing a receiver that does not satisfy an information flow assumption is close to 
irrelevant for every benchmark run. Since these processes are synthesized with 
local LTL specifications, scaling only in the number of local inputs or informa- 
tion that will eventually be received is easily possible. Notably, these receivers 
are compatible with any implementation of the sender, whereas the solutions of 
the other approaches are only compatible for the same synthesis run. 


8 Related Work 


Compositional synthesis is often studied in the setting of complete informa- 
tion, where all processes have access to all environment outputs [9, 14,17, 19]. 
In the following, we focus on compositional approaches for the synthesis of dis- 
tributed systems, where the processes have incomplete information about the 
environment outputs. Compositionality has been used to improve distributed 
synthesis in various domains, including reactive controllers [1,16]. Closest to 
our approach is assume-guarantee synthesis [3,4], which relies on behavioral 
guarantees of the processs behaviour and assumptions about the behavior of 
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the other processes. Recently, an extension of assume-guarantee synthesis for 
distributed systems was proposed [20], where the assumptions are iteratively 
refined. Using a weaker winning condition for synthesis, remorse-free dominance 
[7] avoids the explicit construction of assumptions and guarantees, resulting in 
implicit assumptions. A recent approach [13] uses behavioral guarantees in the 
form of certificates to guide the synthesis process. Certificates specify partial 
behaviour of each component and are iteratively synthesized. The fundamental 
difference between all these approaches to the current work is that the assump- 
tions are behavioral. To the best of our knowledge, this is the first synthesis 
approach based on information-flow assumptions. While there is a rich body of 
work on the verification of information-flow properties (cf. [8,15,24]), and the 
synthesis from information-flow properties and other hyperproperties has also 
been studied before (cf. [11]), the idea of utilizing hyperproperties as assump- 
tions for compositional synthesis of distributed systems is new. 


9 Conclusion 


The approach introduced in this paper provides the foundation for a new class 
of distributed synthesis algorithms, where the assumptions refer to the flow of 
information and are represented as hyperproperties. In many situations, neces- 
sary information flow assumptions exist even if there are no necessary behavioral 
assumptions. There are at least two major directions for future work. The first 
direction concerns the insight that compositional synthesis profits from the gener- 
ality of hyperproperties; at the same time, synthesis from hyperproperties is much 
more challenging than synthesis from trace properties. To address this issue, we 
have presented the more practical method in Sect.6, which replaces locality, a 
hyperproperty, with the component specification, a trace property. However, this 
method is limited to information flow assumptions that refer to a finite amount of 
information. It is very common for the required amount of information to be infi- 
nite in the sense that the same type of information must be transmitted again and 
again. We conjecture that our method can be extended to such situations. 

A second major direction is the extension to distributed systems with more 
than two processes. The two-process case has the advantage that the assumptions 
of one process must be guaranteed by the other. With more than two processes, 
the localization of the assumptions becomes more difficult or even impossible, if 
multiple processes have access to the required information. 
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Abstract. In many synthesis problems, it can be essential to gener- 
ate implementations which not only satisfy functional constraints but 
are also randomized to improve variety, robustness, or unpredictability. 
The recently-proposed framework of control improvisation (CI) provides 
techniques for the correct-by-construction synthesis of randomized sys- 
tems subject to hard and soft constraints. However, prior work on CI 
has focused on qualitative specifications, whereas in robotic planning 
and other areas we often have quantitative quality metrics which can be 
traded against each other. For example, a designer of a patrolling security 
robot might want to know by how much the average patrol time needs 
to be increased in order to ensure that a particular aspect of the robot’s 
route is sufficiently diverse and hence unpredictable. In this paper, we 
enable this type of application by generalizing the CI problem to sup- 
port quantitative soft constraints which bound the expected value of a 
given cost function, and randomness constraints which enforce diversity 
of the generated traces with respect to a given label function. We estab- 
lish the basic theory of labelled quantitative CI problems, and develop 
efficient algorithms for solving them when the specifications are encoded 
by finite automata. We also provide an approximate improvisation algo- 
rithm based on constraint solving for any specifications encodable as 
Boolean formulas. We demonstrate the utility of our problem formula- 
tion and algorithms with experiments applying them to generate diverse 
near-optimal plans for robotic planning problems. 


1 Introduction 


Correct-by-construction synthesis of systems from high-level specifications has 
become a popular paradigm in fields ranging from circuit design [5] to robotic 
task planning [25]. Synthesis techniques for many different types of specifica- 
tions have been developed, especially for temporal logic formulas, which can 
encode many properties of interest [14]. One less-studied type of specification 
are randomness constraints that require the system’s behavior to be sufficiently 
random, for instance by being close to a uniform distribution over the set of 
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allowed behaviors. Such specifications are useful in many applications, as ran- 
domness can provide robustness, variety, and unpredictability to a system. For 
example, fuzz testing tools often use constraints to select classes of inputs which 
are more likely to trigger bugs, but then search randomly within that class to 
prevent bias [29]. In robotic planning, a patrolling security robot that uses a fixed 
plan satisfying its requirements might be vulnerable to exploitation; adding ran- 
domness to make its route unpredictable can make exploitation more difficult. 
While there has been substantial work on synthesis with stochastic environ- 
ments (e.g. [2,9]), randomness constraints require the system itself to behave 
randomly even if the environment is deterministic. Furthermore, unlike most 
specifications used in synthesis, randomness constraints are properties not of 
individual behaviors but rather of their distribution, and they cannot be con- 
cisely encoded into existing specification formalisms like PCTL [22] and SGL [3]. 
As a result, synthesis of systems under such constraints requires new techniques. 
A recently-proposed paradigm for the correct-by-construction synthesis of 
systems under randomness constraints is algorithmic improvisation [13,15,16]. 
Algorithmic improvisation comprises a class of synthesis problems whose goal 
is to construct a randomized algorithm, an improviser, satisfying three kinds of 
constraints: hard constraints that the improviser’s output must always satisfy, 
soft constraints that need only be satisfied to a certain (tunable) extent, and ran- 
domness constraints requiring the output to be sufficiently random. These types 
of constraints correspond to natural requirements arising for example in robot 
planning: the hard constraints can encode safety or other functional require- 
ments, the soft constraints can encode notions of efficiency or optimality, and 
the randomness constraints enforce diversity or unpredictability. The original 
and most-studied form of algorithmic improvisation is the control improvisation 
(CI) problem (introduced in [12] and formalized in [16,17]), where the improviser 
generates finite sequences of symbols, the hard constraint is a trace property, the 
soft constraint requires some trace property hold with at least a desired proba- 
bility, and the randomness constraint puts upper and lower bounds on the proba- 
bility of individual outputs. Control improvisation and its extensions have been 
successfully used for musical improvisation [13], robotic planning [19], human 
modeling subject to constraints [1], and generating synthetic datasets for testing 
and training cyber-physical systems with machine learning components [18]. 
However, the prior work on CI is not general enough to cover many random- 
ized synthesis problems of interest, for two reasons. First, many planning, design 
space exploration, and other problems come with a cost function expressing how 
optimal a particular solution is; in the setting of generating randomized solu- 
tions, the most natural soft constraint would be to require that the expected cost 
of a solution should be low, so that we can obtain a diverse set of near-optimal 
solutions. In a patrolling robot application, for example, the fastest patrol route 
might be unique and so predictable, and we then want to know by how much we 
would need to increase the average patrol time in order to enable a sufficiently- 
diverse set of routes. The prior work on CI cannot provide such an analysis. 
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Second, while the CI randomness constraint is sufficient to make the impro- 
viser’s exact output unpredictable, it is not sufficient to ensure diversity when 
many outputs are similar to each other. Continuing our patrolling robot exam- 
ple, suppose that the robot has a choice of two rooms to go through: one room is 
larger, and so there are (say) 10° possible paths through it, vs. only 10° through 
the other room. Even if a perfectly-uniform distribution over all these paths is 
possible given our other constraints, the robot will end up entering the larger 
room almost all of the time. But from the point of view of an adversary that 
wishes to avoid being seen by the robot, the exact path is not relevant: what 
matters is which room the robot will enter, and that is highly predictable. For 
this application, we need a randomness requirement that enforces diversity not 
over the output of the improviser, but over some attribute of the output. 

To enable such applications, in this paper we introduce the concept of Labelled 
Quantitative Control Improvisation (LQCI). This problem extends CI with a soft 
constraint bounding the expected cost of generated traces, and a randomness 
constraint requiring near-uniformity of the label of a trace, given by an arbitrary 
label function. We study the theory of LQCI, establishing precise conditions for 
when an LQCI problem is solvable and a general construction for solving it. We 
use our construction to develop efficient improvisation algorithms for a broad 
class of specifications given by finite automata, including common cost func- 
tions such as mission time or path length. For specifications not easily encoded 
to (reasonably-sized) automata, we provide an approximate improvisation algo- 
rithm based on constraint solving that handles symbolic specifications encoded 
as Boolean formulas. We also explore an extension of the LQCI problem for 
finding the maximum-entropy distribution satisfying the other constraints (as in 
[30]), and develop an algorithm for solving it using convex optimization. Finally, 
we conduct a case study demonstrating that our approach allows us to formalize 
and solve realistic robotic planning problems. 

In summary, the main contributions of this paper are: 


— The labelled quantitative control improvisation problem definition (Sect. 2); 

— A characterization of which LQCI problems are solvable, and a general con- 
struction for solving them (Sect. 3); 

— Efficient improvisation algorithms for finite automata specifications (Sect. 4); 

— An approximate algorithm for Boolean formula specifications (Sect. 5); 

— An algorithm for maximum-entropy LQCI problems (Sect. 6); 

— Experiments using our algorithms for robotic planning (Sect. 7). 


We conclude in Sect. 8 with a summary of results and directions for future work. 
For brevity, we defer full proofs of all results to the Appendix [21]. 


2 Overview and Problem Definition 


In this section we formally define the LQCI problem, first using applications to 
robotic planning and fuzz testing to motivate various aspects of our definitions. 
We will return to the robotic planning example for our experiments in Sect. 7. 
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2.1 Motivating Examples 


Robotic Planning. Consider the problem of generating a path for a package 
delivery robot, where the robot should efficiently visit various drop-off points, 
visiting charging stations as necessary along the way. Discretizing the world 
into a grid, we can represent a path as a finite sequence of north, south, east, 
and west moves. We might have various requirements for such paths, falling 
into the three types of constraints of a control improvisation problem described 
above: hard constraints such as completing mission objectives and not navigating 
into impassable terrain, soft constraints such as preferring shorter paths, and 
randomness constraints to ensure the chosen path is unpredictable. However, as 
we saw in Sect. 1, randomness over paths can be less important than randomness 
over specific features of a path: here, it might be that charging leaves the robot 
vulnerable for an extended period, so that it is important to limit the extent 
to which an adversary can predict ahead of time which charging station will be 
used. If there are 3 charging stations, then all possible paths are divided into 3 
classes, and we want the class of a generated path to be unpredictable; we can 
formalize this as a label function which assigns labels to paths, and require that 
the distribution over labels be close to uniform. Since we do not want to simply 
pick a single path from each label class, we can also enforce randomness within 
each class, either by bounding the conditional probabilities of paths (so that 
no path is too likely relative to others in its class) or by taking the maximum- 
entropy distribution that satisfies our randomness-over-labels condition (we will 
return to this approach in Sect. 6). 

For efficiency, we want our robot to use routes which are as fast as possible, 
taking into account varying terrain. We could model this using a cost function 
assigning numerical costs to each path: here, the total time needed to traverse it. 
However, as mentioned in Sect. 1, prior work on CI can only encode Boolean soft 
constraints, such as requiring the cost of a path to be at most 5 with probability 
at least 0.9. While this does allow for some control over the cost, it requires 
setting an arbitrary threshold, and otherwise ignores the actual values of the cost; 
thus, a path of cost 6 is treated no differently than a path of cost 10°. Instead, 
we want to bound the expected cost of a path, so that both the probabilities of 
individual paths and their absolute costs are taken into account. 

Putting all this together, we define our example planning problem as generat- 
ing paths through the grid worlds in Fig. 1, subject to the following constraints: 


Hard Constraint: 
(a) The robot must begin in the start cell S and must end in the end cell E. 
(b) The robot must visit all package drop-off points O. 
(c) The robot must charge at a charging station C. 
(d) The robot must not enter impassable locations X. 
Cost Constraint: 
The expected time to complete the mission must be at most a constant c. 
Randomness over Labels: 
For each choice of charging station, the chance that the robot uses that station 
must be at least À and at most p. 
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(a) Small Grid World (6x6) (b) Large Grid World (7x7) 


Fig. 1. Grid worlds for our robotic planning example. Darker background indicates 
higher cost and letters indicate: start and end points (S, E), impassable locations (X), 
delivery locations (O), charging stations (C). 


Randomness over Words: 
Conditioned on selecting a certain charging station, the probability of picking 
any path must be at least œa and at most £. 


Here, we assume that each grid cell has a cost representing how long it takes 
to traverse, with the cost of a path (the total mission time) being the sum of the 
costs of its cells. In Fig. 1, we show higher-cost cells as being darker, with the costs 
ranging from 0-3 for the small world and 0-10 for the large world. The layout of 
the map was chosen to admit a variety of different paths, motivated as follows: 
we envision an impassible river dividing the top and bottom halves of the map, 
with one low-cost bridge and two high-cost fords. The top-left charging station 
is a windmill and requires climbing a hill to access; there is also a hydroelectric 
station next to the river, and an easily-accessible substation near the main north- 
south road. 


Fuzz Testing. Prior work has shown that a variety of programs and protocols 
can be comprehensively tested by randomly sampling from automata encoding 
constraints on acceptable tests [11]. LQCI allows us to preserve such guarantees 
while exercising additional control over which tests are generated. 

As an example, consider the problem of generating randomized network activ- 
ity for a set of devices communicating over TCP; this could be useful to test 
robustness of a network monitoring application or network stack. There are a 
variety of different constraints we might wish to impose on the sequences of pack- 
ets we generate: each connection should conform to the TCP protocol, so that 
the tests are meaningful’; tests should exhibit a variety of different behaviors 


1 We might also want to generate tests that deviate from the protocol. This could be 
done in a variety of ways, e.g. modifying our constraints to allow certain types of 
deviations, or first generating tests that conform to the protocol and subsequently 
mutating them. 
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such as successful/failed connections, interleaving of packets between different 
connections, etc.; and tests should be as short as possible while still exhibiting 
these different behaviors, so that we can maximize the number of tests we can 
perform in a given time. These constraints have trade-offs: for example, tests 
with failed connections that must be retried will necessarily be longer. As in 
the robotic planning example, we formulate these requirements as cost and label 
constraints, which allow us to balance our randomness and control needs. 

For concreteness, consider the specific example of generating packet traces for 
5 systems communicating over TCP. Our hard constraint can enforce that each 
connection follows the TCP protocol, using an encoding of the operation of the 
protocol as a finite automaton [24] (we will present efficient algorithms for LQCI 
with automata specifications below). Our cost function can assign a cost equal to 
the length of the trace, so that we prefer shorter sequences (whereas if we simply 
sampled uniformly from the language of the TCP automaton up to some length, 
longer sequences would be generated more frequently as there are exponentially 
more of them). Our label function could use two labels, distinguishing traces with 
connections that terminate cleanly from those that involve system failures and 
timeouts (we could also further subdivide into several types of failures). There 
are many more ways for a connection to fail than to terminate cleanly, and 
these two classes of traces might have significantly different lengths on average, 
but we want to ensure that our tests cover both cases adequately. By imposing 
constraints on the expected cost of a trace, as well as randomness constraints 
over the label and within each label class, we can control test length while 
enforcing sufficient diversity among the tests. In fact, we will see below that 
our LQCI algorithms can find the minimum-cost distribution consistent with 
the randomness constraints, thereby allowing us to test as efficiently as possible 
given coverage requirements. 


2.2 Problem Definition 


To formalize synthesis problems like those described above, we define the LQCI 
problem. Following the definition of CI [16,17], we frame the problem as sampling 
words over a finite alphabet X subject to several constraints. We use the general 
term specification to refer to an encoding of a property of words (a language): 
for example, a deterministic finite automaton (DFA) is a specification, where 
the DFA accepts a word if and only if it satisfies the specification; a Boolean 
formula is another kind of specification. The complexity of the LQCI problem 
will vary depending on the type of specifications used, as we will see later. 


Definition 1. A Labelled Quantitative Control Improvisation (LQCI) instance 
over an alphabet X is a tuple C = (H,K,L,m,n,c, A, p, â, B) which contains: 


- m,n E€ N, lower and upper bounds on word length (with m < n); 

- H, a hard specification that must be satisfied by all words; 

~K:3* — Q, a cost function mapping words to rational costs; 

- DL: X* — N, a label function mapping words to a finite set of labels Q = 
{4, oe Lai}; 
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- c E€ QF, an upper bound on expected cost; 

—~X,p E Q, lower and upper bounds on the marginal probability of selecting a 
word with a certain label (withO<A< p < 1); 

= Ĝi, Bi € Q, lower and upper bounds on the conditional probability of words in 
label class €; (with O < â; < Bi < 1 for all i). 


We note that the specifications and functions above are abstract, and our 
definition does not make any assumptions about how they will be encoded in 
a particular problem. For example, the hard constraint H over words might 
be instantiated as the language of a DFA, context-free grammar, etc. Later in 
the paper we will develop algorithms for solving classes of LQCI instances with 
specification formalisms that satisfy certain properties. 

The restriction to finite traces (via the length bounds m and n) is consistent 
with prior work on using CI for robotic planning [19]: we frequently want plans 
that complete within a time limit. Likewise in fuzz testing we want tests of 
bounded length. Furthermore, as we will see, finite-trace LQCI is still a highly 
nontrivial problem, so we leave its extension to infinite traces as future work. 

Given an LQCI instance, we define several convenient notations: 


— X™®” is all words satisfying the length bounds: {w € X* | m < |w| < n}. 

— The set of improvisations I consists of all words satisfying the length bounds 
and the hard specification. These are all the words which our improviser is 
allowed to generate. 

— Since the length bounds m,n ensure IJ is finite, we can consider the image of 
I under K, which must also be finite. We will refer to this set of possible costs 
as O = {01,..., Ojoj} (note that enumerating O may require an algorithm). 

— The cost class lip consists of all words with label 4; and cost 0; which sat- 
isfy the length bounds and the hard specification, i.e., {w € 27" | w € 
L(H), L(w) = £;,K(w) = 0x}. As the costs of all words in a cost class are 
equal, we may speak of the cost of a cost class without ambiguity. 

— The label class I; consists of all words with label 4; as above but any cost, 
ie, UIL Lx- 

— We write Pr|X(w) | w — D] for the probability (or E[...] for the expected 
value) of X(w) given that w is sampled from distribution D. 


Definition 2. Given an LQCT instance C, a distribution D over X* is an impro- 
vising distribution for that instance if it satisfies the following constraints: 


Hard Constraint: Pr|w € I | w — D| =1 

Cost Constraint: E|K(w) | w — D] < c 

Randomness over Labels: Vi € {1,..., |2|}, A < Pr |w € I; |w D] < p 
Randomness over Words: Vi € {1,...,|Q|}, Vy € hi, 

â; < Pr[y = w | w € I, w — D] < ĝi 


Awyren 


We say that an LQCI instance is feasible if there exists an improvising dis- 
tribution for it (and infeasible otherwise). An improviser for an LQCI instance 
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is a probabilistic algorithm which takes no input, has finite expected runtime, 
and whose output distribution is an improvising distribution. Given an LQCI 
instance C, the LQCI problem is then to determine if C is feasible, and, if so, 
to generate an improviser for C. Finally, an improvisation scheme for a class 
of LQCI instances is a probabilistic algorithm with finite expected runtime that 
solves the LQCI problem for instances in that class. 


As described in the preceding sections, the goal of our problem definition 
is to provide formal guarantees about the randomness of improvisations while 
respecting the various constraints. In some applications, we may simply wish 
to maximize randomness: then precise control over the randomness parameters 
for each label class is not needed, and in fact finding values of Ĝi, Bi which 
maximize randomness while remaining feasible is nontrivial. Building on our 
analysis of the basic LQCI problem in the next several sections, in Sect. 6 we 
will introduce a mazximum-entropy version of LQCI which directly maximizes 
randomness without requiring â; and (3; to be explicitly specified. 


3 Feasibility Conditions and the Greedy Construction 


In this section, we introduce a greedy construction which will be used to provide 
necessary and sufficient conditions for an LQCI instance to be feasible. This 
construction will also form the basis of the improvisation schemes presented 
later in the paper. For now, we will present the construction without assuming 
any particular specification formalism and ignoring algorithmic concerns: the 
description presented here will consider traces one by one and thus be inefficient. 
The next section will develop efficient implementations of these ideas. 

The greedy LQCI construction is separated into two phases. In the first phase, 
the greedy cost construction, we define a distribution over each label class indi- 
vidually, greedily optimizing cost by giving as much weight as we can to the 
cheapest elements while respecting the randomness over words condition. In 
the second phase, the greedy label construction, we define a distribution over 
labels, greedily assigning maximum marginal probability to the label classes 
with the cheapest expected costs under the distributions from the first phase 
while respecting the randomness over labels condition. The intuition is that we 
want to first make sampling within each label class as cheap as possible, and 
then sample from the cheapest classes as often as possible, while satisfying the 
randomness requirements. We will prove below that this greedy approach in fact 
yields an improvising distribution whenever one exists. 


Toy Example. We will begin with a toy example which illustrates the idea and 
correctness of the greedy construction. Suppose we want to sample from words 
of length 3 (m = n = 3) over the binary alphabet X = {0,1}, subject to the 
hard constraint that each word must contain at least one 1. We will have two 
label classes: words with an odd number of 1s will be in label 1, and those with 
an even number in label 2. The cost of each word will be its integer value in 
binary. The label parameters will be A = 0.2 and p = 1.0, so that each label 
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must be sampled from with a probability at least 0.2 and at most 1.0. The word 
randomness parameters will be @; = âz = 0.1 and By = Bo = 0.5, so that when 
sampling from a particular label class, each word in the class must be selected 
with probability at least 0.1 and at most 0.5. 

Figure 2 shows the greedy construction applied to this LQCI instance. Begin- 
ning with label 1, we need to construct a probability distribution over the words 
001, 010, 100, and 111. We start by assigning 0.1 to each word, since a, = 0.1. 
Then we assign as much additional probability as we can (up to ĝu = 0.5) to 
the cheapest words first until a total of 1 is reached, as shown in the bottom 
left of Fig. 2. The result is that there are 3 distinct probabilities within the label 
class: the minimum a, = 0.1, the maximum Br = 0.5, and the overflow prob- 
ability 0.3 on the word 010. This process results in a distribution over label 1 
with expected cost 2.2, the minimum achievable while satisfying the randomness 
over words constraint. A similar process yields a distribution of expected cost 
4.1 on label 2. Now that we know the minimum expected cost for each label, we 
should sample from the cheaper label as frequently as possible. Since A = 0.2 
and p = 1.0, we sample from label 2 with probability 0.2 (the minimum allowed) 
and from label 1 with probability 0.8, yielding a distribution over improvisations 
with expected cost 2.58. Our analysis will show that this is in fact the minimum 
possible expected cost over all distributions satisfying conditions (1) (3), and 
(4) in Definition 2. So if the cost bound c in the LQCI instance is at least this 
large, then we have an improvising distribution, and otherwise the instance is 
infeasible. 

We now describe the two phases of our construction formally. 


The Greedy Cost Construction. For a particular label class i € {1,...,|Q|}, 


we proceed as follows. Let 6‘ = (ôi, ... ,ðjoj) be a list of all the cost classes Ji, 


1-4: Ti] 
Bi—âi 
is the maximum number of words that can be assigned Âi probability (the max- 
imum allowed) while still leaving at least â; probability (the minimum allowed) 
for each remaining word. Then, moving through the cost classes in the order 
given by 6’, we assign ĝ; probability to each word in the class, until we get to a 
class ĝt where the cumulative number of words so far (including the new class) 
would exceed 0;. To this class we assign 3;(0; — X21 164I) + s(S2h_, 164] — 01) 
probability (spread uniformly over words in the class), the maximum allowed 
while leaving exactly â; for each remaining word. Assigning â; to the remaining 

words, we obtain a distribution D; over the whole label class L. 

We note that this process is not well-defined when â; = (; (in which case we 
simply assign probability â; to every word in J;) or when @,|J;| > 1 (in which 
case the instance is infeasible due to â; being too large); also, the process does 
not result in a probability distribution if 3;|J;| < 1 (in which case the instance is 
infeasible due to Ĝi being too small). Except in these cases, we get a well-defined 
distribution D; over I; which satisfies conditions (1) and (4) of Definition 2. 
Moreover, the expected cost of D; is minimal among all such distributions, since 
it assigns as much weight as possible to the words with lowest cost. 


with label 2, sorted in increasing order of cost. Then fix o; = , whose floor 
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Word | Label | Cost 
000 0.8 0.2 
001| L, | k-1 

010| L, | k-2 

011| L, | k-3 

100| L, | k-4 

101| L, | k-5 

110| L, | k-6 

111| L, | k-7 


Pia | 


011 101 110 L L 
3 5 6 Elk 1 2 
Gos coy oe oi 05 O04 0.1 ikl= 2.2 | 
Pr= 08 0.2 
E | | Minimum Conditional Probability (a) Hi Minimum Marginal Probability (A) 
[1 Hf Additional Conditional Probability (Up to B) [Bf Additional Marginal Probability (Up to p) 


Fig. 2. Applying the greedy LQCI construction to our toy example. Counter-clockwise 
from upper left: table of improvisations, the greedy cost construction, the greedy label 
construction, and the final improvising distribution. 


The Greedy Label Construction. Given the distributions D; for each label 
class I; from the first stage, we now choose a distribution over labels. Following 
a similar pattern as before, let 6 be a list of the distributions D; sorted in order 
of increasing expected cost. Then fix u = ls [gl | which is the number of label 
classes that can be assigned probability p (the maximum allowed) while still 
leaving at least A (the minimum allowed) for each remaining class. We assign 
p probability to the first u label classes in 6. To the next label class we assign 
probability 1—pu—A(|Q|—u—1), the maximum allowed while leaving exactly À 
for each remaining label class. Finally, we assign A to all remaining label classes, 
and call the resulting distribution over labels D. Similar to before, this process 
will be well-defined and result in a distribution when 5 < |Q|< ž; otherwise, p 
is too small or A is too large for condition (3) of Definition 2 to be satisfied. 


To complete the construction, we obtain a final distribution D over words by 
first sampling a label į from D and then sampling from D,;. The greedy cost con- 
struction ensured that D; is defined over the class J; C J and assigns probability 
between â; and Ĝi to each word, so D will satisfy the hard and randomness over 
words constraints in Definition 2. The greedy label construction ensures that D 
assigns probability between A and p to each label, so D will also satisfy the ran- 
domness over labels constraint. Finally, since each phase selects a distribution 
of minimal cost amongst those satisfying the corresponding constraints, if any 
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improvising distribution exists then D will have no greater cost, thereby satisfy- 
ing the cost constraint and being an improvising distribution. Formalizing this 
argument yields the following theorem (see the Appendix [21] for details): 


Theorem 1. An LQCT instance is feasible if and only if all of the following 
conditions are true: 
1 


1 
ac ee 
p À 


1 1 


i 


3. The greedy LQCI construction produces a distribution D whose expected cost 
is at most c (i.e., E[K(w) | w — D] < œ). 


We conclude this section with a reminder that the greedy LQCI construction 
is a construction and not a practical algorithm: it defines a distribution but not 
a practical way to compute it for a specified LQCI instance. With common spec- 
ification formalisms such as DFAs and Boolean formulas, the number of possible 
improvisations can easily be exponential in the size of the problem instance. In 
this case, assigning probabilities to words one at a time as described above in 
the abstract construction would be highly impractical. Instead, the algorithms 
we present in the following sections are able to avoid enumerating exponentially- 
large sets by working with implicit representations to create distributions equal 
to or approximating the one produced by the greedy LQCI construction. 


4 Exact LQCI for Automata Specifications 


The greedy LQCI construction from Sect. 3 gives us a way to determine if an 
LQCI instance is feasible and, if so, to build an improvising distribution. Imple- 
menting the construction requires several operations—such as computing the 
size of the label/cost classes—which may or may not be tractable depending on 
the types of specification used in the instance. In this section, we will identify a 
sufficient list of operations which yield an efficient generic improvisation scheme 
for any class of LQCI instances with specifications supporting these operations. 
Then we will instantiate the scheme for two natural classes of specifications given 
by deterministic finite automata, obtaining efficient improvisation algorithms. 

Following the description of the preceding section, we can see that for a given 
LQCI instance, the operations listed below are sufficient to complete the greedy 
LQCI construction and sample from the resulting distribution: 


Definition 3. (Sufficient Operations) Given an LQCI instance C: 


1. Compute the list of possible costs O. 
2. For each i € {1,...,|Q|} and k € O, compute |I; |. 
3. For each i € {1,...,|Q|} and k € O, sample uniformly from Iik. 
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If we can implement these operations in polynomial time, we can build a 
polynomial-time improvisation scheme in the sense of [16,17], i.e., an algorithm 
which solves the LQCI problem in polynomial time, and whose generated impro- 
visers themselves run in polynomial (expected) time. To do this we first compute 
the list of possible costs and the size of each T; ,. We then perform a modified ver- 
sion of the greedy construction which assigns probabilities to entire cost classes 
instead of individual words. As each word in a class has the same label and cost, 
we can satisfy our cost and randomness requirements with a distribution that 
assigns the same probability to every word within a class. Then to implement 
placing probability p on each word of J;,, without enumerating this potentially 
exponentially-large set, we simply choose the set with probability p|; x| and 
then sample uniformly from it (see the Appendix [21] for a detailed argument). 


Theorem 2. Suppose for a class of LQCI instances the operations in 
Definition 8 can be performed in polynomial time (in the size of the instance). 
Then there is a polynomial-time improvisation scheme for that class. 


One broad class of specifications to which this scheme can apply is determin- 
istic finite automata (DFAs): for example, we can encode the specifications from 
our robotic planning example as DFAs. While a DFA can encode the hard speci- 
fication H directly, encoding cost and label functions is not as clear. We consider 
two natural encodings: most simply, we can label each state of the DFA with an 
integer, assigning the associated label/cost to words ending at that state. 


Theorem 3. Consider the class of LQCI instances where H is a DFA, K and 
L are given by DFAs which output an integer cost/label associated with the state 
they end on, the length bounds are given in unary and all other numerical param- 
eters in binary. This class has a polynomial-time improvisation scheme. 


Proof (Sketch). Operation (1) is trivial. For (2) and (3), we can easily construct 
DFAs accepting all improvisations with a given label and cost, then apply clas- 
sical techniques for counting/sampling from the language of a DFA [23]. 


To capture cost functions like path length or mission time (as in our planning 
example), we consider a second encoding using weighted DFAs: states are again 
labeled with integers, but the cost is now given by accumulating costs from every 
state passed through. Here, the number of possible costs can grow linearly with 
the largest cost of a single state, and so be exponential in the size of the (binary) 
encoding; as a result we only obtain a pseudopolynomial improvisation scheme 
by applying Theorem 2. The algorithm can still be feasible, however, when the 
magnitude of possible costs is not too large, as we will see in Sect. 7. 


Theorem 4. Consider the class of LQCI instances as in Theorem 3 but where 
K is given by a weighted DFA, i.e. summing the integer costs associated with 
each state of a DFA accepting path (with multiplicity). This class has a pseu- 
dopolynomial improvisation scheme. 
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Proof (Sketch). We can perform operation (1) by dynamic programming over 
the states and word lengths up to the length bound n. If the maximum cost of 
a state in the DFA for K is M, then the cost of an improvisation is at most 
M(n + 1); so for (2) and (3) we can build DFAs of size poly(M,n) recognizing 
I;,, and then apply counting/sampling as above. If state costs were encoded in 
unary, the operations above would take polynomial time and Theorem 2 would 
apply. Converting from binary to unary yields a pseudopolynomial scheme. 


5 Approximate LQCI for Symbolic Specifications 


The LQCI algorithms for DFAs that we developed in the previous section cover 
many useful specifications; however, as we will see in Sect. 7, even fairly simple 
specifications can require very large automata when represented explicitly. In 
this section we propose an algorithm that avoids such blowup by working with 
symbolic specifications given by Boolean formulas. We cannot use our scheme of 
Theorem 2 directly, because counting the number of solutions of a Boolean for- 
mula is #P-hard. Nevertheless, we will show that by leveraging recent advances 
in SAT solving, we can approximately solve LQCI to any desired accuracy. 

We consider LQCI instances with specifications given by Boolean formulas, 
whose variables encode traces and costs; for modeling convenience, we also allow 
a vector of auxiliary variables z. Specifically, we assume we are given: 


— a conjunctive normal form (CNF) formula h(x, z) such that 4z.h(x, z) holds 
if and only if the bitvector x encodes a trace satisfying the hard constraint; 

— a CNF formula ¢(x,y,z) such that dz.¢(x,y,z) holds if and only if trace x 
has the label encoded by the bitvector y; 

— a CNF formula k(x, y, z) such that dz.k(x, y, z) holds iff trace x has cost y (a 
positive integer). 


We further assume that the instance has only a polynomial number of labels, 
although there can be exponentially-many costs. 

Given such an instance, we can readily build a CNF formula ¢;(z, y, z) which 
is satisfiable iff x encodes a word which has length between m and n, satisfies the 
hard constraint, belongs to label 2, and has cost y. The solutions x for a particular 
choice of i and y comprise the associated cost class, so that the operations we 
need for the greedy construction are instances of the model counting and uniform 
generation problems for SAT.? Recent work has yielded practical algorithms 
based on SAT solvers which solve these problems approximately [7,27]?: 


? Since we do not want to count over the auxiliary variables z, we actually require 
projected counting/sampling, which the algorithms we use can also perform [7,17]. 

3 We note that UniGen [6,7] is not strictly speaking an almost-uniform generator as in 
Definition 4 since it only supports sufficiently-large tolerances; for theoretical results, 
one can substitute the algorithm of [4] to do exact (projected) uniform sampling. 
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Definition 4. (/7/) An approximate counter is a probabilistic algorithm C 
which given a CNF formula F with set of solutions Rr, a tolerance T > 0, 
and a confidence 1 — ô € [0,1) guarantees that 


Pr [|Rr|/ +7) < C(F,T,1 — ô) < (14+7)|Rel] > 1-6. 


An almost-uniform generator G is a probabilistic algorithm that, given F as above 
and a tolerance € > 0, guarantees that for every y E Rr, we have 


1/(1+6)|Rel) < PriG(F,«) = y] < (1 + 6)/|Rel. 


We can modify our greedy construction to work with only approximate count- 
ing/sampling as follows. If the cost bitvector has |y| bits, the cost of a word 
is between 1 and 2!¥!. To avoid enumerating exponentially-many cost classes 
for label i, we group words into “cost buckets” by subdividing this interval 
into powers of r for some r > 1, i.e. [1,r),[r,r?),...,[r?-!,r°). We will have 
b = O(log,.(2!¥!)) = O(|y|/logr) buckets, and we can estimate the size of bucket 
j by approximately counting solutions to 4z.[¢;(x,y,z) A (rÍ < y < r/t+)]. We 
will then use these estimates to choose a distribution over buckets, following 
the intuition of the greedy cost construction that we should assign the most 
probability to buckets with lowest estimated cost, but with some adjustments 
to bound the error that approximate sampling introduces. 

For each label class i with randomness parameters œ and 8, we apply a 
modified form of the greedy cost construction, shown in Algorithm 1. We start 
in lines 1-3 by using model counting as above (with a tolerance 7 and confidence 
1 — ô to be specified later) to find estimates cp of the size of each bucket k, and 
corresponding lower bounds pz on how much probability the bucket would have 
received in the exact greedy construction (the extra 1 + 7 factor accounting for 
possibly overestimating the size of the bucket). If these lower bounds total more 
than 1, then we know there are too many improvisations for the instance to be 
feasible (assuming the model counts are within their tolerance) and we return 
false on line 4. Otherwise, on lines 5-7 we proceed as in the greedy construction, 
starting from the cheapest bucket, increasing the assigned probability per word 
to (1+7)6 until a probability of 1 is reached. The factor of 1 +7 ensures that, 
even if the model counts have underestimated the size of the cheaper buckets, we 
still assign them at least as much probability as the exact greedy construction 
would. Next, line 8 checks if there are too few improvisations, similarly to line 
4. Finally, we return our distribution over buckets, as well as a lower bound on 
its expected cost that we will use next. 

If Algorithm 1 does not return false for any label class, then we complete 
our approximate LQCI algorithm by running the greedy label construction from 
Sect. 3, using the lower bounds from Algorithm 1 as the expected cost of each 
label class. As before, we declare the instance infeasible if the construction fails or 
if its expected cost exceeds the cost bound c. Otherwise, we obtain a distribution 
over all the cost buckets; our improviser then simply chooses a bucket from this 
distribution and applies almost-uniform sampling to sample a word from it. 

Choosing the bucket count and counting/sampling tolerances appropriately, 
our algorithm can approximate an improvising distribution to within arbitrarily- 
small multiplicative error, using polynomially-many calls to a SAT solver: 
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Algorithm 1. ApproximateGreedyCost(é, a, B, r, b, T, 6) 
1: for k = 1 to b do 

2 Ck = #SAT (Az.gi(x, y, z) A (r571 < y < r"), T, 1— ô) 
3 Pk := ace /(14+7) 

4: if Dia pj > 1 then return False 

5: for k = 1 to b do 
6: 
7 
8 
9 


Pr := min((1 +7) Bee, 1 — do 524 Ps) 
if pj = 1 then break 
: if ees pj < 1 then return False 
: Lo:= ae pir 
10: return {p;}?_1, Lo 


Theorem 5. There is an algorithm which, given a Boolean LQCI instance C, 
a cost tolerance C > 0, a randomness tolerance y > 0, and a confidence 1 — 6 € 
(0,1), runs in poly(|C|,1/¢,1/y,log(1/0)) time relative to an NP oracle and either 
returns L or an algorithm sampling from a distribution D over words. With 
probability at least 1 — 6, if L is returned then C is infeasible, and otherwise: 


1. Hard Constraint: Pr[H(w) | w — D] = 1 
2. Cost Constraint: E[K(w) | w — D] < (1+ 0)c 
3. Randomness over Labels: Vi € {1,...,|Q|}, A < Pr [w € I; | w — D| <p 
4. Randomness over Words: Vi € {1,...,|Q|} Vy € L, 
&;/(1+7) < Pr[y = w | w € I, w — D] < (14+)6: 


6 Maximum-Entropy LQCI 


Our LQCI definition requires providing conditional probability bounds for every 
label, which while allowing maximal control of the distribution, can be unwieldy 
to use. However, if we drop conditional bounds entirely, trivial solutions with 
unnecessarily-poor randomness can appear. For example, consider an LQCI 
instance with parameters À = 0.5, p = 0.5, @ = (0,...,0), 8 = (1,...,1). With 
this choice, any distribution will satisfy the randomness over words constraint, 
and all labels have the same marginal probability of being selected. Then assume 
that we have two labels, costs © = (1,2), and cost bound c = 1.5, along with 
the following cost class sizes: |f,1| = 1, |J21| = 1, |Z1,2| = 1000, |I2,2| = 1000. 
Now simply assigning 50% probability to Jı, ı and 50% probability to T> is an 
improvising distribution. Assigning 25% probability to all 4 classes is also an 
improvising distribution, and clearly preferable from the perspective of random- 
ness. Unfortunately, without a nontrivial randomness over words constraint, we 
have no way to push the improviser to select the second distribution. To enforce 
this, we introduce the concept of entropy from information theory. 


Definition 5. Given a discrete random variable X with a set of outcomes 2 and 
probabilities p : 2 — [0,1], the entropy of X is H(X) = — Deg p(x) lg p(x). 
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To obtain a problem formulation that maximizes randomness without requir- 

ing probability bounds for each class, we invoke the Principle of Maximum 
Entropy: amongst all improvising distributions (without a randomness over 
words constraint), we should select the one with the highest entropy (as first 
proposed for reactive CI in [30]). This yields a notion of Maximum-Entropy 
LQCI: 
Definition 6. A Maximum-Entropy LQCI (MELQCI) instance is an LQCI 
instance where â = (0,...,0) and B= (1,...,1). A v-improviser for a MELQCI 
instance C is an improviser (as in LQCI) whose output distribution has entropy 
at most T less than the maximum-entropy improvising distribution for C. We 
define the MELQCI problem as, given an instance C and T > 0, determining if 
C is feasible, and, if so, generating a T-improviser for C. 


We can solve MELQCI efficiently in the same cases as LQCI: 


Theorem 6. Given a class of MELQCI instances for which one can perform 
the operations in Definition 3 in polynomial time, there is a polynomial-time 
algorithm which given an instance from the class and a T > 0, computes a T- 
improviser. 


Proof. (Sketch). Once cost class sizes have been computed as in Theorem 2, 
the search for the desired distribution over cost classes can be formulated as 
an optimization problem with a separable convex objective (the entropy of the 
distribution) and linear constraints (improviser constraints). This problem can 
be solved in time polynomial in the size of the instance and log(1/r) [10]. 


As in Sect.4, we can transform this algorithm into a pseudopolynomial 
scheme for accumulated-cost DFA specifications. 


7 Experiments 


We ran several experiments on the robotic planning problems from Sect. 2 (code 
available at [20]). These experiments aim to demonstrate that we can encode 
practical problems as LQCI instances solvable using our algorithms, highlight 
the relative advantages/disadvantages of our exact /approximate algorithms, and 
show the necessity of the label function in ensuring meaningful randomness. 
As a minimal experiment, we used a 6 x6 grid world with a small range 
of costs (0-3 per cell, 8-39 for paths); we compared against a 7 x 7 grid world 
with a much larger range of costs (0-9 per cell, 38-137 for paths).4 We encoded 
the specifications in Sect.2 both as DFAs for our exact LQCI and MELQCI 
algorithms, and as Boolean formulas for our approximate LQCI algorithm. The 
Boolean encodings were obtained by formulating the specifications in the SMT 
theory of bitvectors, and bit-blasting them with Z3 [26]; the resulting formu- 
las had several thousand variables and tens of thousands of clauses. We used 
UniGen3 [7,27] for uniform generation with its default tolerance? of 17, and an 


4 A larger 8 x 8 map exceeded our 24-hour wallclock timeout for all exact and approx- 
imate experiments. 
5 UniGen3 cannot guarantee a multiplicative error of less than 7.48 [6]; see footnote 3. 
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Table 1. Experiment parameters and improviser construction times (in minutes). 


Map Problem Type (A, p:) (âi, Bi) ro y ô Wall Time CPU Time 


Exact QCI (0, 3e-5) (1, 1) 540 5568 
Exact LQCI (0, 1e-5) (0.3, 0.4 N/A 444 6102 
g Exact MELQCI N/A (0.3, 0.4 444° 6102 


Approx. LQCI (0, 
Approx. LQCI (0, le-5 
0, 
0, 


FT 


0.3, 0.4) 1.2 10 0.2 21.2+0.7 81.51.1 


( 
( 
(0.3, 0.4) 1.2 10? 0.2 23.7+0.6 93.31.4 
( 
(0.3, 0.4) 1.2 104 0.2 20.2+0.7 78.43.4 


Approx. LQCI 


FT 


Exact QCI (1, 1) 
Exact LQCI (0, 1e-5) (0.3, 0.4 N/A 
_ Exact MELQCI N/A (0.3, 0.4 


( Timed out 
( 

Approx. LQCI (0, le-5) (0.3, 0.4) 1.2 10? 0.2 42.8+2.1 186.1+3.9 
( 
( 


(24-hour wall time) 


Approx. LQCI (0, 1e-5) (0.3, 0.4) 1.2 10° 0.2 38.84+8.8 152.6 9.0 
Approx. LQCI (0, le-5) (0.3, 0.4) 1.2 10* 0.2 38.8+9.7 145.5 9.5 
* The LQCI/MELQCI runtimes were nearly identical, since MELQCI reuses the 


LQCI computations and adds a convex optimization step, which took negligible 
time. 


in-development version of ApproxMC [8,27,28] for approximate model counting 
with tolerances of 1.4, 6.7, and 23.25, so that the overall y values were 107, 10°, 
and 10*. To put these values into context, the small/large maps had on the order 
of 107/10° improvisations, and we required that no word have > p = 10~° proba- 
bility of being selected. Therefore, with our tightest /loosest we are guaranteed 
that no word will be more than 0.1%/10% of the distribution respectively. The 
confidence was set to 0.8 (6 = 0.2), ApproxMC’s default confidence. Each model 
counting call however required a much higher confidence to achieve an overall 6 
of 0.2. 

For the small/large maps respectively we used length bounds of (1,25) /(1,30) 
and cost bounds of 30/50. We used label probability bounds of (0.3, 0.4) through- 
out, except for unlabeled “QCI” experiments. The experiments were run on a 
64-core machine with 188 GB of RAM; we used 62 parallel threads, unless this 
exhausted RAM, in which case we used 16 threads. The experiments are sum- 
marized in Table 1; due to significant runtime variability for the approximate 
experiments, we report means and standard deviations over 10 repetitions. For 
all exact experiments which completed within the 24-h wallclock timeout, RAM 
usage was < 6 GB per thread, and the average time to sample an improvisation 
was < 1 ms; all approximate experiments required < 250 MB RAM per thread 
and took ~ 20 s to sample an improvisation. 
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(a) QCI Traces (b) MELQCI Traces 


Fig. 3. Randomly-selected traces generated by the QCI/MELQCI improvisers for the 
6 x 6 map. Note that all the QCI traces use the same charging station. 


We can draw several conclusions from these results. Improviser construction 
with the exact algorithm is significantly more expensive than with the approxi- 
mate algorithm, in both CPU time and RAM. This is not surprising, as the exact 
encodings resulted in enormous DFAs which, for the large map, approached 101° 
states. Conversely, sampling is much faster for the exact algorithm, with no SAT 
queries required. We can also see that the approximate algorithm can be used 
to practically solve problems that are infeasible to solve exactly, such as the 
large-map problem. We expect new developments in the relatively young field of 
approximate model counting/sampling will further speed up our algorithm. 

Visualizing several randomly-chosen traces from our exact QCI and MELQCI 
experiments in Fig.3, we can see the importance of labels. In unlabeled QCI, 
the robot always charged at the substation near the main road due to the lower 
expected cost of such paths. In contrast, MELQCI yielded a near-uniform dis- 
tribution over the charging stations. This increase in diversity was not free, 
with the average cost rising to 21.4 for MELQCI from 8.7 for QCI. This trade- 
off demonstrates how LQCI allows us to balance the need for control over our 
improvisations with the need for meaningful diversity (not merely randomness) 
by choosing appropriate label functions. 


8 Conclusion 


In this paper, we introduced labelled quantitative control improvisation as a 
framework allowing correct-by-construction synthesis of randomized systems 
whose behavior must be diverse with respect to a label function and near-optimal 
with respect to a cost function. We studied the theory of LQCI problems and 
developed algorithms for solving them for broad classes of specifications encoded 
as finite automata or Boolean formulas. Our experiments demonstrated how our 
framework can be used to formalize and solve realistic robotic planning problems. 
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There are a number of clear directions for future work. Scalability is an 
evident concern: our experiments show that our algorithms can require substan- 
tial resources to solve even relatively small LQCI problems. While LQCI with 
Boolean formulas is a difficult #P-hard problem, our algorithms will directly 
benefit from future progress in model counting; our DFA algorithms could also 
be improved through the use of abstraction to reduce state-space explosion. 
We also plan to explore generalizations of our algorithms, such as extending 
our approximate scheme to MELQCTI and to problems with exponentially-many 
labels, as well as potentially infinite traces. Finally, we are investigating exten- 
sions of the LQCI problem to reactive settings with adversarial environments, 
and to black-box settings for design-space exploration and other problems where 
we do not have complete models for the cost function and other constraints. 
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